{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Malware Bazaar Lookup with MSTICpy\n",
    "\n",
    "Author: Thomas Roccia | @fr0gger_\n",
    "\n",
    "This notebook demonstrates the usage of the MalwareBazaar module for threat enrichment. \n",
    "\n",
    "More details can be found here: https://bazaar.abuse.ch/api/"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "\n",
       "This product includes GeoLite2 data created by MaxMind, available from\n",
       "<a href=\"https://www.maxmind.com\">https://www.maxmind.com</a>.\n"
      ],
      "text/plain": [
       "<IPython.core.display.HTML object>"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "# Import MBLookup from MSTICpy\n",
    "from msticpy.context.tiproviders.mblookup import MBlookup\n",
    "\n",
    "# Use the MBlookup class to get more details about the IOC.\n",
    "mblookup = MBlookup()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Lookup IOC\n",
    "The lookup_ioc function can be used to request several element to Malware Bazaar. It doesn't require any API key.\n",
    "\n",
    "To use the function you must specify the observable and the Malware Bazaar type.\n",
    "\n",
    "The list of type is the following: \n",
    "\n",
    "* 'hash': the sha256 hash of your sample (nb: the module does not calculate the hash automatically)\n",
    "* 'tag': the tag used on Malware Bazaar to retrieve a set of specific sample. You can use the 'limit' (default is 50)\n",
    "* 'filetype': the type of files you want to retrieve. Limit is 50 by default\n",
    "* 'clamav': the Clamav Signature that matches the samples you want to retrieve.\n",
    "* 'imphash': the imphash of files you want to retrieve.\n",
    "* 'dhash': the icon hash that matches the samples you want to retrieve.\n",
    "* 'yara': the Yara rule that matches the samples. \n",
    "* 'tlsh': the tlsh that matches the samples.\n",
    "* 'telfhash': the Telfhash that matches the samples.\n",
    "* 'issuerinfo': the certificate issuer that is used in the matching samples. \n",
    "* 'subjectinfo': the certificate subject that used by the samples. \n",
    "* 'certifcate': the serial number of the certificate.\n",
    "* 'gimphash': the go import hash.\n",
    "\n",
    "\n",
    "All that types must be specified in the mb_type variable with your IOC. The return of each will be a Pandas dataframe. The below examples shows how to use the module. \n"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Single Hash"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>vendor_intel.Triage.signatures</th>\n",
       "      <th>vendor_intel.Triage.malware_config</th>\n",
       "      <th>vendor_intel.ReversingLabs.threat_name</th>\n",
       "      <th>vendor_intel.ReversingLabs.status</th>\n",
       "      <th>vendor_intel.ReversingLabs.first_seen</th>\n",
       "      <th>vendor_intel.ReversingLabs.scanner_count</th>\n",
       "      <th>vendor_intel.ReversingLabs.scanner_match</th>\n",
       "      <th>vendor_intel.ReversingLabs.scanner_percent</th>\n",
       "      <th>vendor_intel.Spamhaus_HBL</th>\n",
       "      <th>vendor_intel.UnpacMe</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85...</td>\n",
       "      <td>139b8890e573e4c759e4904902b3ece1b4b8c1fd7a49fc...</td>\n",
       "      <td>77543bde72105ae1a28cc71815d9ea89ea162052</td>\n",
       "      <td>c40aead7a31d14e05b2ee4a11849eced</td>\n",
       "      <td>2020-10-19 09:54:37</td>\n",
       "      <td>None</td>\n",
       "      <td>New Order POA12990120 From Akweni Group.exe</td>\n",
       "      <td>903680</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>[{'signature': 'Azorult', 'score': '10'}, {'si...</td>\n",
       "      <td>[{'extraction': 'c2', 'family': 'azorult', 'c2...</td>\n",
       "      <td>ByteCode-MSIL.Trojan.AgentTesla</td>\n",
       "      <td>MALICIOUS</td>\n",
       "      <td>2020-10-19 05:14:13</td>\n",
       "      <td>28</td>\n",
       "      <td>23</td>\n",
       "      <td>82.14</td>\n",
       "      <td>[{'detection': 'malicious', 'link': 'https://w...</td>\n",
       "      <td>[{'sha256_hash': '7de2c1bf58bce09eecc70476747d...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>1 rows × 55 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  139b8890e573e4c759e4904902b3ece1b4b8c1fd7a49fc...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  77543bde72105ae1a28cc71815d9ea89ea162052  c40aead7a31d14e05b2ee4a11849eced   \n",
       "\n",
       "            first_seen last_seen                                    file_name  \\\n",
       "0  2020-10-19 09:54:37      None  New Order POA12990120 From Akweni Group.exe   \n",
       "\n",
       "   file_size         file_type_mime file_type  ...  \\\n",
       "0     903680  application/x-dosexec       exe  ...   \n",
       "\n",
       "                      vendor_intel.Triage.signatures  \\\n",
       "0  [{'signature': 'Azorult', 'score': '10'}, {'si...   \n",
       "\n",
       "                  vendor_intel.Triage.malware_config  \\\n",
       "0  [{'extraction': 'c2', 'family': 'azorult', 'c2...   \n",
       "\n",
       "   vendor_intel.ReversingLabs.threat_name vendor_intel.ReversingLabs.status  \\\n",
       "0         ByteCode-MSIL.Trojan.AgentTesla                         MALICIOUS   \n",
       "\n",
       "  vendor_intel.ReversingLabs.first_seen  \\\n",
       "0                   2020-10-19 05:14:13   \n",
       "\n",
       "  vendor_intel.ReversingLabs.scanner_count  \\\n",
       "0                                       28   \n",
       "\n",
       "  vendor_intel.ReversingLabs.scanner_match  \\\n",
       "0                                       23   \n",
       "\n",
       "  vendor_intel.ReversingLabs.scanner_percent  \\\n",
       "0                                      82.14   \n",
       "\n",
       "                           vendor_intel.Spamhaus_HBL  \\\n",
       "0  [{'detection': 'malicious', 'link': 'https://w...   \n",
       "\n",
       "                                vendor_intel.UnpacMe  \n",
       "0  [{'sha256_hash': '7de2c1bf58bce09eecc70476747d...  \n",
       "\n",
       "[1 rows x 55 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable='7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754', mb_type='hash')\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Latest samples that are tagged 'Emotet'"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>994c6b6e6d07592cea62bd2b667c60694e862f17f7e740...</td>\n",
       "      <td>3500e84cac6ea8504d98d1c59e27b497f6241cc6943a60...</td>\n",
       "      <td>21280cb8d696d79f68e9bb99661d77aaddfa97c1</td>\n",
       "      <td>51b3e08cb5b18fd46876b4a9bebb0fd0</td>\n",
       "      <td>2022-08-08 21:20:27</td>\n",
       "      <td>None</td>\n",
       "      <td>Sample_62a03e5baa5b3700182f075d.xlsm</td>\n",
       "      <td>47898</td>\n",
       "      <td>application/vnd.openxmlformats-officedocument....</td>\n",
       "      <td>xlsm</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>768:X5WHFKfQzXTmbfRzdDTKufT9nz0LTyY1NiMZFYpvrL...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, Heodo, xlsm]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Sanesecurity.Malware.28370.badform.UNOFFICIAL...</td>\n",
       "      <td>362</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>c8a0a8bce7a0ea50386666600c2ce4c90e23adc02b921b...</td>\n",
       "      <td>4a055c57c7384f4caaf8f8a804cf0a0a40c448ede47126...</td>\n",
       "      <td>586ee85719397ae5548dbd724b92471ff62d5091</td>\n",
       "      <td>13e5decc722a39965a15f47bc3fabb44</td>\n",
       "      <td>2022-08-01 19:50:36</td>\n",
       "      <td>None</td>\n",
       "      <td>13e5decc722a39965a15f47bc3fabb44.exe</td>\n",
       "      <td>274472</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:flqhx0eX9B4DfdnCpObaAzmR1NtJWNmd9yKvj:GP9...</td>\n",
       "      <td>1003873d31213f10</td>\n",
       "      <td>[Emotet, exe, Heodo]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Dropper.Zeus-7729282-0, Win.Dropper.Zeus-...</td>\n",
       "      <td>433</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4...</td>\n",
       "      <td>365fba2160ee6c644daa99aaa92c02f30cfb8d427ff667...</td>\n",
       "      <td>c0ff465eb0b6ccc0f3a36bb593ced7453736a750</td>\n",
       "      <td>8d925c0da257436438893e6fe7ce2f4f</td>\n",
       "      <td>2022-08-01 11:40:55</td>\n",
       "      <td>None</td>\n",
       "      <td>sample</td>\n",
       "      <td>348504</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:KRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2...</td>\n",
       "      <td>None</td>\n",
       "      <td>[dll, Emotet, Heodo]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Malware.Emotet-9823769-0, Win.Malware.Emo...</td>\n",
       "      <td>251</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875c...</td>\n",
       "      <td>42a45407c6132ce00c84add2111d159441acc5b35aa46e...</td>\n",
       "      <td>c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b4240</td>\n",
       "      <td>7301880b88f87cd3a593f7106d5743cc</td>\n",
       "      <td>2022-07-23 02:54:09</td>\n",
       "      <td>None</td>\n",
       "      <td>7301880b88f87cd3a593f7106d5743cc</td>\n",
       "      <td>962048</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:kvyPTUfrN+lSDLV9dRCYFdVlv6jVBv4w8N6zTlvd...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.Emotet-FTY5BBDDAC95C90.16550...</td>\n",
       "      <td>327</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>8b5a10f9a8f2b25057442111a01faf021ef7e048eab875...</td>\n",
       "      <td>4e9a56bdf35825419667963ec4bd061f0fcc3ce036902d...</td>\n",
       "      <td>c6c966e4ba623f9972273de07b842ffbb9a9efce</td>\n",
       "      <td>1dd34935a785a419fb552b5086ea682e</td>\n",
       "      <td>2022-07-22 11:52:08</td>\n",
       "      <td>None</td>\n",
       "      <td>1dd34935a785a419fb552b5086ea682e</td>\n",
       "      <td>850944</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:jRCGXj4KVB9abMfyzfqvHWnyPv+LVHT2+2JNdX71...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.Emotet-FTNA218E3B03756.13897...</td>\n",
       "      <td>365</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>fc63829723b725fab3a69bac667f379d300b12d60cba35...</td>\n",
       "      <td>1b485e28ea1d8191366379171821e7f1dfa63e9be2a2f2...</td>\n",
       "      <td>02cb7bfaa6b00c7900a8d60040fe7d97ea9558d1</td>\n",
       "      <td>5c7b589a59f315aad49ca49c3481f2a9</td>\n",
       "      <td>2022-07-22 11:41:56</td>\n",
       "      <td>2022-07-22 18:20:13</td>\n",
       "      <td>5c7b589a59f315aad49ca49c3481f2a9</td>\n",
       "      <td>433664</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:jTZfuSuI5OORAL3Onl/+HuVPxskfcg3gA:jTxuI5...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Emotet-9954177-0]</td>\n",
       "      <td>364</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>caa60b9025dfba07efac6cae5438a8e20d9b7c210a721a...</td>\n",
       "      <td>345acaa99928a3ab60ec0e860145372b7c38ce8cef078c...</td>\n",
       "      <td>abcbd283801a05390995862f59dcb5310f3d3d88</td>\n",
       "      <td>5d4728494832d03bbfb75367836fef4e</td>\n",
       "      <td>2022-07-22 11:08:27</td>\n",
       "      <td>2022-07-22 13:00:51</td>\n",
       "      <td>5d4728494832d03bbfb75367836fef4e</td>\n",
       "      <td>691200</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:pBBKShhc/bQisqkxf3CJS+HQ58B6loNJYlvw9zaa...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Generic-9950172-0]</td>\n",
       "      <td>331</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>234bc8a9a4d46fc09e882c75900a3af46a21c3bae960a9...</td>\n",
       "      <td>50ef437e91839b6551a8c0345d7ed3391d3182204c77d4...</td>\n",
       "      <td>fb154557cdd2e98508a420140b2832fa9328fc08</td>\n",
       "      <td>d97a7ad99d03d6e71460ea1d070aabc6</td>\n",
       "      <td>2022-07-22 11:03:13</td>\n",
       "      <td>2022-07-22 23:09:45</td>\n",
       "      <td>d97a7ad99d03d6e71460ea1d070aabc6</td>\n",
       "      <td>782848</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:hJheLDF+GBXYT7Ose6FPmg3T3tG2lqfn3tBzqgf/...</td>\n",
       "      <td>b2b2b2b2b268e868</td>\n",
       "      <td>[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.Emotet-FTNF37FD4B3B9A6.17126...</td>\n",
       "      <td>304</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>258bb2b23c6ea7434eb8c965a168e7eb87257f5d3e4c42...</td>\n",
       "      <td>9d9b1be066c88fdc6bda62a00369a05d53c4f2bac7cb2a...</td>\n",
       "      <td>d880badbb5b3041e401db1000079f4b06bb875d3</td>\n",
       "      <td>b2e8a93629044e790dff4d779dcbcd0d</td>\n",
       "      <td>2022-07-22 10:49:59</td>\n",
       "      <td>2022-07-22 13:02:10</td>\n",
       "      <td>b2e8a93629044e790dff4d779dcbcd0d</td>\n",
       "      <td>751104</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:QolWKutgKC7t1DtuANCqKLvr+U4rG2a/FviAzPVC...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.Emotet-FTN7E05BA7C938A.25784...</td>\n",
       "      <td>295</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>4a688f571024b08f9793559427d8692471f5aa71588289...</td>\n",
       "      <td>bfc3326e7ae309fa30b28c6f1b7ef5cdf04d8c78df34dd...</td>\n",
       "      <td>0ea68aab3721e509ce0b1bff7e574eda037798be</td>\n",
       "      <td>83418a9af56db91ff2c78c4b2b9d62f8</td>\n",
       "      <td>2022-07-19 23:04:49</td>\n",
       "      <td>None</td>\n",
       "      <td>83418a9af56db91ff2c78c4b2b9d62f8</td>\n",
       "      <td>655360</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:/6ZMFXzqfoSHr/mvcQYbi2HN8C8BgifO7y7TcuVqr...</td>\n",
       "      <td>90cccc4874cccce8</td>\n",
       "      <td>[32, dll, Emotet, exe, Heodo, trojan]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Generic-9942396-0, Win.Trojan.Gene...</td>\n",
       "      <td>215</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 25 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  994c6b6e6d07592cea62bd2b667c60694e862f17f7e740...   \n",
       "1  c8a0a8bce7a0ea50386666600c2ce4c90e23adc02b921b...   \n",
       "2  16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4...   \n",
       "3  c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875c...   \n",
       "4  8b5a10f9a8f2b25057442111a01faf021ef7e048eab875...   \n",
       "5  fc63829723b725fab3a69bac667f379d300b12d60cba35...   \n",
       "6  caa60b9025dfba07efac6cae5438a8e20d9b7c210a721a...   \n",
       "7  234bc8a9a4d46fc09e882c75900a3af46a21c3bae960a9...   \n",
       "8  258bb2b23c6ea7434eb8c965a168e7eb87257f5d3e4c42...   \n",
       "9  4a688f571024b08f9793559427d8692471f5aa71588289...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  3500e84cac6ea8504d98d1c59e27b497f6241cc6943a60...   \n",
       "1  4a055c57c7384f4caaf8f8a804cf0a0a40c448ede47126...   \n",
       "2  365fba2160ee6c644daa99aaa92c02f30cfb8d427ff667...   \n",
       "3  42a45407c6132ce00c84add2111d159441acc5b35aa46e...   \n",
       "4  4e9a56bdf35825419667963ec4bd061f0fcc3ce036902d...   \n",
       "5  1b485e28ea1d8191366379171821e7f1dfa63e9be2a2f2...   \n",
       "6  345acaa99928a3ab60ec0e860145372b7c38ce8cef078c...   \n",
       "7  50ef437e91839b6551a8c0345d7ed3391d3182204c77d4...   \n",
       "8  9d9b1be066c88fdc6bda62a00369a05d53c4f2bac7cb2a...   \n",
       "9  bfc3326e7ae309fa30b28c6f1b7ef5cdf04d8c78df34dd...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  21280cb8d696d79f68e9bb99661d77aaddfa97c1  51b3e08cb5b18fd46876b4a9bebb0fd0   \n",
       "1  586ee85719397ae5548dbd724b92471ff62d5091  13e5decc722a39965a15f47bc3fabb44   \n",
       "2  c0ff465eb0b6ccc0f3a36bb593ced7453736a750  8d925c0da257436438893e6fe7ce2f4f   \n",
       "3  c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b4240  7301880b88f87cd3a593f7106d5743cc   \n",
       "4  c6c966e4ba623f9972273de07b842ffbb9a9efce  1dd34935a785a419fb552b5086ea682e   \n",
       "5  02cb7bfaa6b00c7900a8d60040fe7d97ea9558d1  5c7b589a59f315aad49ca49c3481f2a9   \n",
       "6  abcbd283801a05390995862f59dcb5310f3d3d88  5d4728494832d03bbfb75367836fef4e   \n",
       "7  fb154557cdd2e98508a420140b2832fa9328fc08  d97a7ad99d03d6e71460ea1d070aabc6   \n",
       "8  d880badbb5b3041e401db1000079f4b06bb875d3  b2e8a93629044e790dff4d779dcbcd0d   \n",
       "9  0ea68aab3721e509ce0b1bff7e574eda037798be  83418a9af56db91ff2c78c4b2b9d62f8   \n",
       "\n",
       "            first_seen            last_seen  \\\n",
       "0  2022-08-08 21:20:27                 None   \n",
       "1  2022-08-01 19:50:36                 None   \n",
       "2  2022-08-01 11:40:55                 None   \n",
       "3  2022-07-23 02:54:09                 None   \n",
       "4  2022-07-22 11:52:08                 None   \n",
       "5  2022-07-22 11:41:56  2022-07-22 18:20:13   \n",
       "6  2022-07-22 11:08:27  2022-07-22 13:00:51   \n",
       "7  2022-07-22 11:03:13  2022-07-22 23:09:45   \n",
       "8  2022-07-22 10:49:59  2022-07-22 13:02:10   \n",
       "9  2022-07-19 23:04:49                 None   \n",
       "\n",
       "                              file_name  file_size  \\\n",
       "0  Sample_62a03e5baa5b3700182f075d.xlsm      47898   \n",
       "1  13e5decc722a39965a15f47bc3fabb44.exe     274472   \n",
       "2                                sample     348504   \n",
       "3      7301880b88f87cd3a593f7106d5743cc     962048   \n",
       "4      1dd34935a785a419fb552b5086ea682e     850944   \n",
       "5      5c7b589a59f315aad49ca49c3481f2a9     433664   \n",
       "6      5d4728494832d03bbfb75367836fef4e     691200   \n",
       "7      d97a7ad99d03d6e71460ea1d070aabc6     782848   \n",
       "8      b2e8a93629044e790dff4d779dcbcd0d     751104   \n",
       "9      83418a9af56db91ff2c78c4b2b9d62f8     655360   \n",
       "\n",
       "                                      file_type_mime file_type  ... telfhash  \\\n",
       "0  application/vnd.openxmlformats-officedocument....      xlsm  ...     None   \n",
       "1                              application/x-dosexec       exe  ...     None   \n",
       "2                              application/x-dosexec       dll  ...     None   \n",
       "3                              application/x-dosexec       exe  ...     None   \n",
       "4                              application/x-dosexec       exe  ...     None   \n",
       "5                              application/x-dosexec       exe  ...     None   \n",
       "6                              application/x-dosexec       exe  ...     None   \n",
       "7                              application/x-dosexec       exe  ...     None   \n",
       "8                              application/x-dosexec       exe  ...     None   \n",
       "9                              application/x-dosexec       dll  ...     None   \n",
       "\n",
       "   gimphash                                             ssdeep  \\\n",
       "0      None  768:X5WHFKfQzXTmbfRzdDTKufT9nz0LTyY1NiMZFYpvrL...   \n",
       "1      None  6144:flqhx0eX9B4DfdnCpObaAzmR1NtJWNmd9yKvj:GP9...   \n",
       "2      None  3072:KRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2...   \n",
       "3      None  12288:kvyPTUfrN+lSDLV9dRCYFdVlv6jVBv4w8N6zTlvd...   \n",
       "4      None  12288:jRCGXj4KVB9abMfyzfqvHWnyPv+LVHT2+2JNdX71...   \n",
       "5      None  12288:jTZfuSuI5OORAL3Onl/+HuVPxskfcg3gA:jTxuI5...   \n",
       "6      None  12288:pBBKShhc/bQisqkxf3CJS+HQ58B6loNJYlvw9zaa...   \n",
       "7      None  12288:hJheLDF+GBXYT7Ose6FPmg3T3tG2lqfn3tBzqgf/...   \n",
       "8      None  12288:QolWKutgKC7t1DtuANCqKLvr+U4rG2a/FviAzPVC...   \n",
       "9      None  6144:/6ZMFXzqfoSHr/mvcQYbi2HN8C8BgifO7y7TcuVqr...   \n",
       "\n",
       "         dhash_icon                                         tags code_sign  \\\n",
       "0              None                        [Emotet, Heodo, xlsm]        []   \n",
       "1  1003873d31213f10                         [Emotet, exe, Heodo]        []   \n",
       "2              None                         [dll, Emotet, Heodo]        []   \n",
       "3              None  [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]        []   \n",
       "4              None  [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]        []   \n",
       "5              None  [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]        []   \n",
       "6              None  [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]        []   \n",
       "7  b2b2b2b2b268e868  [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]        []   \n",
       "8              None  [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed]        []   \n",
       "9  90cccc4874cccce8        [32, dll, Emotet, exe, Heodo, trojan]        []   \n",
       "\n",
       "                                 intelligence.clamav intelligence.downloads  \\\n",
       "0  [Sanesecurity.Malware.28370.badform.UNOFFICIAL...                    362   \n",
       "1  [Win.Dropper.Zeus-7729282-0, Win.Dropper.Zeus-...                    433   \n",
       "2  [Win.Malware.Emotet-9823769-0, Win.Malware.Emo...                    251   \n",
       "3  [SecuriteInfo.com.Emotet-FTY5BBDDAC95C90.16550...                    327   \n",
       "4  [SecuriteInfo.com.Emotet-FTNA218E3B03756.13897...                    365   \n",
       "5                      [Win.Trojan.Emotet-9954177-0]                    364   \n",
       "6                     [Win.Trojan.Generic-9950172-0]                    331   \n",
       "7  [SecuriteInfo.com.Emotet-FTNF37FD4B3B9A6.17126...                    304   \n",
       "8  [SecuriteInfo.com.Emotet-FTN7E05BA7C938A.25784...                    295   \n",
       "9  [Win.Trojan.Generic-9942396-0, Win.Trojan.Gene...                    215   \n",
       "\n",
       "  intelligence.uploads intelligence.mail  \n",
       "0                    1              None  \n",
       "1                    1              None  \n",
       "2                    1              None  \n",
       "3                    1              None  \n",
       "4                    1              None  \n",
       "5                    2              None  \n",
       "6                    2              None  \n",
       "7                    2              None  \n",
       "8                    2              None  \n",
       "9                    1              None  \n",
       "\n",
       "[10 rows x 25 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable='emotet', mb_type='tag', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Trickbot samples by signature"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6ef...</td>\n",
       "      <td>40acf4c4f672dbc849d4159fd71d4207eacd324b359a76...</td>\n",
       "      <td>516c7a538e93f7cf4bff29196511f94e5fbb5a40</td>\n",
       "      <td>8402ab33eafb84178069f8f490ca604d</td>\n",
       "      <td>2022-07-08 09:22:51</td>\n",
       "      <td>None</td>\n",
       "      <td>sefff993.bin</td>\n",
       "      <td>377097</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:jo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0z...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Razy-7331425-0, Win.Trojan.Trickbo...</td>\n",
       "      <td>369</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>415e04eb340f1b092288cbcc71295a2c95e864fc1bbfcd...</td>\n",
       "      <td>d602957f9e390a1b02b86632b7ce7a5a41654eb1d3ab63...</td>\n",
       "      <td>d02f452d01660387fd78d40e9f2405c3e38c9668</td>\n",
       "      <td>367b6a5c0e0e8ec68ea14a085b1d32b3</td>\n",
       "      <td>2022-06-23 09:55:13</td>\n",
       "      <td>2022-06-24 08:59:27</td>\n",
       "      <td>solar.php</td>\n",
       "      <td>679008</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:nO4BydKj3ACZfNFEnw6qJxs3UPwgDrZiI0OSnnox...</td>\n",
       "      <td>b8a424fcecec6c70</td>\n",
       "      <td>[exe, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>381</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>7e8c547fcc86e26b973e4c974da8ee2c4cfe84846e2cdf...</td>\n",
       "      <td>c8152131d11565c08615b267a2b103c2a3e3a4de03c406...</td>\n",
       "      <td>ac0724c724f8d6e2a54b41b86d99aa189e40dc81</td>\n",
       "      <td>17492f7b9906b807cffd30e8a0edd993</td>\n",
       "      <td>2022-05-25 12:44:48</td>\n",
       "      <td>None</td>\n",
       "      <td>bnuethogt.bin</td>\n",
       "      <td>550424</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:QyeWT96x+MN2N4Bou8Bw1bFswwGFGvyLOE8uQnUK...</td>\n",
       "      <td>72f16979787a726c</td>\n",
       "      <td>[exe, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>502</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>236f4e149402cba69141e6055a113a68f2bd8653936521...</td>\n",
       "      <td>8bfe50bdbc0e728854537a7cb921898c5519774a486c96...</td>\n",
       "      <td>7cb195e05a78a39cacb0c0d4d4fa23e4c3366785</td>\n",
       "      <td>e05d85acc62b2795bfb94a681e64e20f</td>\n",
       "      <td>2022-03-21 03:04:08</td>\n",
       "      <td>None</td>\n",
       "      <td>sample2.exe</td>\n",
       "      <td>207360</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:2LMNe5kFT/RK1WoJg4ouLl2pFUBm5iKsTFxcW3Qt0...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Dropper.TrickBot-7071016-0, Win.Dropper.T...</td>\n",
       "      <td>636</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>bf374475be396528cdfd21a3eac292bb420e398ba9ee9a...</td>\n",
       "      <td>676c8853fb886d2c3b0fa4bffa1b35ef9cc3b619881d2c...</td>\n",
       "      <td>20c1b26ddd2ae336f811bf658fbbe24c011b6393</td>\n",
       "      <td>958c82aca0066454c7a8062c5b93c348</td>\n",
       "      <td>2022-03-14 09:04:03</td>\n",
       "      <td>2022-03-14 11:23:38</td>\n",
       "      <td>Client_documents_access_5506-2425.xlsm</td>\n",
       "      <td>164251</td>\n",
       "      <td>application/vnd.openxmlformats-officedocument....</td>\n",
       "      <td>xlsm</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:UDegPM4xKT72cL5RWU/S//////////25QMUMWhTHH...</td>\n",
       "      <td>None</td>\n",
       "      <td>[TrickBot, xlsm]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[TwinWave.EvilDoc.DOCXSTRGOOD.XMLENTITY.HTTP, ...</td>\n",
       "      <td>578</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>fcde8f225a14fe70009f32c4acfba0407b5fd6b0da5c2f...</td>\n",
       "      <td>df687c25df1e6c99177f9422b8c921f25bd24b35205556...</td>\n",
       "      <td>c1a72d736eb870684a190bad60d1da7d1292c37b</td>\n",
       "      <td>218c5b56132ee73c7a5ad2e5c96c64d4</td>\n",
       "      <td>2021-12-31 09:34:43</td>\n",
       "      <td>None</td>\n",
       "      <td>218c5b56132ee73c7a5ad2e5c96c64d4.exe</td>\n",
       "      <td>422912</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:YFn61kciCuR6b15sZwkst8K5YHJHJ4wX4wp16SiVy...</td>\n",
       "      <td>e4d0d0f8e4e8d804</td>\n",
       "      <td>[exe, top166, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Packed.Generickdz-9929038-0]</td>\n",
       "      <td>1032</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>1a6bef8525a2b7eded1ea8c92e65cea20a08dc2fff175e...</td>\n",
       "      <td>5e52701ea01aec1f13be846809d29634449a2cd6b83f9a...</td>\n",
       "      <td>421b355c7b3311961359bea6e886a316e410bbf8</td>\n",
       "      <td>da42b3f16999890ffa59a2aa10a334e5</td>\n",
       "      <td>2021-12-30 07:39:42</td>\n",
       "      <td>None</td>\n",
       "      <td>da42b3f16999890ffa59a2aa10a334e5.exe</td>\n",
       "      <td>422400</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:5F61k9CuRQuCBifx5ABMQ2f6OArPtMZotp:fCuGl...</td>\n",
       "      <td>e4d0d0f8e4e8d804</td>\n",
       "      <td>[exe, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>946</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>01c69d0acc8734993ba9cbfe9b0da4616bb05041e103af...</td>\n",
       "      <td>a3612c1deff78976343e226fbcde7e7f70a396380ab1f0...</td>\n",
       "      <td>6010fb83b30adfeba34ac6f302c2c8e865cdc705</td>\n",
       "      <td>1e19cdc980488fb82c9245fde3ba28f8</td>\n",
       "      <td>2021-12-29 12:46:45</td>\n",
       "      <td>None</td>\n",
       "      <td>1e19cdc980488fb82c9245fde3ba28f8.exe</td>\n",
       "      <td>422912</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:YFn61kciCuRBb15sZwkst8K5YHJHJ4wX4wp16SiVy...</td>\n",
       "      <td>e4d0d0f8e4e8d804</td>\n",
       "      <td>[exe, top166, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>813</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>5c032f85c0a9a4a551f6c0057ecc78aec6b625df77fcbf...</td>\n",
       "      <td>53576688e522d84b6e976c933eab2d7eb74a0930666d40...</td>\n",
       "      <td>0cb109a1a37622d8147d11b1b5ffbe858388707b</td>\n",
       "      <td>e9d4ef1a8d0371d5760cd8a815cf1acd</td>\n",
       "      <td>2021-12-29 01:36:34</td>\n",
       "      <td>None</td>\n",
       "      <td>SecuriteInfo.com.W32.AIDetect.malware1.29332.2...</td>\n",
       "      <td>422400</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:5F61k9CuREuCBifx5ABMQ2f6OArPtMZotp:fCuOl...</td>\n",
       "      <td>e4d0d0f8e4e8d804</td>\n",
       "      <td>[exe, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.W32.AIDetect.malware1.29332....</td>\n",
       "      <td>751</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>d9ef2723a2d54f8774224b15ad9324598e2213597cf882...</td>\n",
       "      <td>5a1a255ed0fb5e476a0954cf0817d24b1eb816ee868493...</td>\n",
       "      <td>a47aa744bdcf3523b8957d57a620cc5a48ab2f16</td>\n",
       "      <td>e6211b1c55e1f978dfef54d9916ece48</td>\n",
       "      <td>2021-12-28 21:54:13</td>\n",
       "      <td>None</td>\n",
       "      <td>e6211b1c55e1f978dfef54d9916ece48</td>\n",
       "      <td>422400</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:5F61k9CuRbuCBifx5ABMQ2f6OArPtMZotp:fCuFl...</td>\n",
       "      <td>e4d0d0f8e4e8d804</td>\n",
       "      <td>[32, exe, TrickBot]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>680</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 25 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6ef...   \n",
       "1  415e04eb340f1b092288cbcc71295a2c95e864fc1bbfcd...   \n",
       "2  7e8c547fcc86e26b973e4c974da8ee2c4cfe84846e2cdf...   \n",
       "3  236f4e149402cba69141e6055a113a68f2bd8653936521...   \n",
       "4  bf374475be396528cdfd21a3eac292bb420e398ba9ee9a...   \n",
       "5  fcde8f225a14fe70009f32c4acfba0407b5fd6b0da5c2f...   \n",
       "6  1a6bef8525a2b7eded1ea8c92e65cea20a08dc2fff175e...   \n",
       "7  01c69d0acc8734993ba9cbfe9b0da4616bb05041e103af...   \n",
       "8  5c032f85c0a9a4a551f6c0057ecc78aec6b625df77fcbf...   \n",
       "9  d9ef2723a2d54f8774224b15ad9324598e2213597cf882...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  40acf4c4f672dbc849d4159fd71d4207eacd324b359a76...   \n",
       "1  d602957f9e390a1b02b86632b7ce7a5a41654eb1d3ab63...   \n",
       "2  c8152131d11565c08615b267a2b103c2a3e3a4de03c406...   \n",
       "3  8bfe50bdbc0e728854537a7cb921898c5519774a486c96...   \n",
       "4  676c8853fb886d2c3b0fa4bffa1b35ef9cc3b619881d2c...   \n",
       "5  df687c25df1e6c99177f9422b8c921f25bd24b35205556...   \n",
       "6  5e52701ea01aec1f13be846809d29634449a2cd6b83f9a...   \n",
       "7  a3612c1deff78976343e226fbcde7e7f70a396380ab1f0...   \n",
       "8  53576688e522d84b6e976c933eab2d7eb74a0930666d40...   \n",
       "9  5a1a255ed0fb5e476a0954cf0817d24b1eb816ee868493...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  516c7a538e93f7cf4bff29196511f94e5fbb5a40  8402ab33eafb84178069f8f490ca604d   \n",
       "1  d02f452d01660387fd78d40e9f2405c3e38c9668  367b6a5c0e0e8ec68ea14a085b1d32b3   \n",
       "2  ac0724c724f8d6e2a54b41b86d99aa189e40dc81  17492f7b9906b807cffd30e8a0edd993   \n",
       "3  7cb195e05a78a39cacb0c0d4d4fa23e4c3366785  e05d85acc62b2795bfb94a681e64e20f   \n",
       "4  20c1b26ddd2ae336f811bf658fbbe24c011b6393  958c82aca0066454c7a8062c5b93c348   \n",
       "5  c1a72d736eb870684a190bad60d1da7d1292c37b  218c5b56132ee73c7a5ad2e5c96c64d4   \n",
       "6  421b355c7b3311961359bea6e886a316e410bbf8  da42b3f16999890ffa59a2aa10a334e5   \n",
       "7  6010fb83b30adfeba34ac6f302c2c8e865cdc705  1e19cdc980488fb82c9245fde3ba28f8   \n",
       "8  0cb109a1a37622d8147d11b1b5ffbe858388707b  e9d4ef1a8d0371d5760cd8a815cf1acd   \n",
       "9  a47aa744bdcf3523b8957d57a620cc5a48ab2f16  e6211b1c55e1f978dfef54d9916ece48   \n",
       "\n",
       "            first_seen            last_seen  \\\n",
       "0  2022-07-08 09:22:51                 None   \n",
       "1  2022-06-23 09:55:13  2022-06-24 08:59:27   \n",
       "2  2022-05-25 12:44:48                 None   \n",
       "3  2022-03-21 03:04:08                 None   \n",
       "4  2022-03-14 09:04:03  2022-03-14 11:23:38   \n",
       "5  2021-12-31 09:34:43                 None   \n",
       "6  2021-12-30 07:39:42                 None   \n",
       "7  2021-12-29 12:46:45                 None   \n",
       "8  2021-12-29 01:36:34                 None   \n",
       "9  2021-12-28 21:54:13                 None   \n",
       "\n",
       "                                           file_name  file_size  \\\n",
       "0                                       sefff993.bin     377097   \n",
       "1                                          solar.php     679008   \n",
       "2                                      bnuethogt.bin     550424   \n",
       "3                                        sample2.exe     207360   \n",
       "4             Client_documents_access_5506-2425.xlsm     164251   \n",
       "5               218c5b56132ee73c7a5ad2e5c96c64d4.exe     422912   \n",
       "6               da42b3f16999890ffa59a2aa10a334e5.exe     422400   \n",
       "7               1e19cdc980488fb82c9245fde3ba28f8.exe     422912   \n",
       "8  SecuriteInfo.com.W32.AIDetect.malware1.29332.2...     422400   \n",
       "9                   e6211b1c55e1f978dfef54d9916ece48     422400   \n",
       "\n",
       "                                      file_type_mime file_type  ... telfhash  \\\n",
       "0                              application/x-dosexec       exe  ...     None   \n",
       "1                              application/x-dosexec       exe  ...     None   \n",
       "2                              application/x-dosexec       exe  ...     None   \n",
       "3                              application/x-dosexec       exe  ...     None   \n",
       "4  application/vnd.openxmlformats-officedocument....      xlsm  ...     None   \n",
       "5                              application/x-dosexec       exe  ...     None   \n",
       "6                              application/x-dosexec       exe  ...     None   \n",
       "7                              application/x-dosexec       exe  ...     None   \n",
       "8                              application/x-dosexec       exe  ...     None   \n",
       "9                              application/x-dosexec       exe  ...     None   \n",
       "\n",
       "   gimphash                                             ssdeep  \\\n",
       "0      None  6144:jo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0z...   \n",
       "1      None  12288:nO4BydKj3ACZfNFEnw6qJxs3UPwgDrZiI0OSnnox...   \n",
       "2      None  12288:QyeWT96x+MN2N4Bou8Bw1bFswwGFGvyLOE8uQnUK...   \n",
       "3      None  6144:2LMNe5kFT/RK1WoJg4ouLl2pFUBm5iKsTFxcW3Qt0...   \n",
       "4      None  3072:UDegPM4xKT72cL5RWU/S//////////25QMUMWhTHH...   \n",
       "5      None  6144:YFn61kciCuR6b15sZwkst8K5YHJHJ4wX4wp16SiVy...   \n",
       "6      None  12288:5F61k9CuRQuCBifx5ABMQ2f6OArPtMZotp:fCuGl...   \n",
       "7      None  6144:YFn61kciCuRBb15sZwkst8K5YHJHJ4wX4wp16SiVy...   \n",
       "8      None  12288:5F61k9CuREuCBifx5ABMQ2f6OArPtMZotp:fCuOl...   \n",
       "9      None  12288:5F61k9CuRbuCBifx5ABMQ2f6OArPtMZotp:fCuFl...   \n",
       "\n",
       "         dhash_icon                     tags code_sign  \\\n",
       "0              None          [exe, TrickBot]        []   \n",
       "1  b8a424fcecec6c70          [exe, TrickBot]        []   \n",
       "2  72f16979787a726c          [exe, TrickBot]        []   \n",
       "3              None          [exe, TrickBot]        []   \n",
       "4              None         [TrickBot, xlsm]        []   \n",
       "5  e4d0d0f8e4e8d804  [exe, top166, TrickBot]        []   \n",
       "6  e4d0d0f8e4e8d804          [exe, TrickBot]        []   \n",
       "7  e4d0d0f8e4e8d804  [exe, top166, TrickBot]        []   \n",
       "8  e4d0d0f8e4e8d804          [exe, TrickBot]        []   \n",
       "9  e4d0d0f8e4e8d804      [32, exe, TrickBot]        []   \n",
       "\n",
       "                                 intelligence.clamav intelligence.downloads  \\\n",
       "0  [Win.Trojan.Razy-7331425-0, Win.Trojan.Trickbo...                    369   \n",
       "1                                               None                    381   \n",
       "2                                               None                    502   \n",
       "3  [Win.Dropper.TrickBot-7071016-0, Win.Dropper.T...                    636   \n",
       "4  [TwinWave.EvilDoc.DOCXSTRGOOD.XMLENTITY.HTTP, ...                    578   \n",
       "5                  [Win.Packed.Generickdz-9929038-0]                   1032   \n",
       "6                                               None                    946   \n",
       "7                                               None                    813   \n",
       "8  [SecuriteInfo.com.W32.AIDetect.malware1.29332....                    751   \n",
       "9                                               None                    680   \n",
       "\n",
       "  intelligence.uploads intelligence.mail  \n",
       "0                    1              None  \n",
       "1                    2              None  \n",
       "2                    1              None  \n",
       "3                    1              None  \n",
       "4                    2              None  \n",
       "5                    1              None  \n",
       "6                    1              None  \n",
       "7                    1              None  \n",
       "8                    1              None  \n",
       "9                    1              None  \n",
       "\n",
       "[10 rows x 25 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable='trickbot', mb_type='signature', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Latest executable samples (filter by filetype)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>ce1e8e57264e84d75ed4960855768418c7a73707d0855d...</td>\n",
       "      <td>2945d468176ca3766e5982574652025887cdce34028f4c...</td>\n",
       "      <td>7fd429ceb24c476a9b3796fe71961575e7637738</td>\n",
       "      <td>fea743ac96b30d64f914d491e802abc1</td>\n",
       "      <td>2022-08-11 09:22:06</td>\n",
       "      <td>None</td>\n",
       "      <td>Copia di pagamento-3400753232678_001-11.08.202...</td>\n",
       "      <td>625664</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T178D4D02025AE7219E039BB7909D7706047F5F622DE1A...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...</td>\n",
       "      <td>d4e2c8b4ccc8f2cc</td>\n",
       "      <td>[AgentTesla, exe]</td>\n",
       "      <td>None</td>\n",
       "      <td>119</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...</td>\n",
       "      <td>05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...</td>\n",
       "      <td>e03a9f658327fc96d774ae19d714add257a10d88</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>2022-08-11 09:19:47</td>\n",
       "      <td>None</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>834560</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T18D052344079587BCC9AE167C048142641338EB02B2B6...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, RemcosRAT, trojan]</td>\n",
       "      <td>None</td>\n",
       "      <td>109</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...</td>\n",
       "      <td>7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...</td>\n",
       "      <td>69bf7182f7cd72ca775be7736b843345efbbdc0e</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>2022-08-11 09:19:27</td>\n",
       "      <td>None</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>857600</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T10105BEAF7E9C440ECC218B31E84C81B99FA5FDA17912...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, FormBook, trojan]</td>\n",
       "      <td>[SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]</td>\n",
       "      <td>101</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...</td>\n",
       "      <td>513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...</td>\n",
       "      <td>117b1e130cc2f2406b0f38d3b3677e4699f65214</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>2022-08-11 09:19:13</td>\n",
       "      <td>None</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>879616</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T13315BFAFAB9C441FCC228B31E84C81B99FA5FC613922...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, AgentTesla, exe]</td>\n",
       "      <td>[SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]</td>\n",
       "      <td>107</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>f2a4cc133dfeca5432bf22c2817aeb8edb434057711727...</td>\n",
       "      <td>13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f...</td>\n",
       "      <td>b1eedf6d0b197b0d743e60390864aa279f1f915a</td>\n",
       "      <td>b9694513a38e321b8cbfd807367b7e21</td>\n",
       "      <td>2022-08-11 09:15:26</td>\n",
       "      <td>None</td>\n",
       "      <td>Project sheets.pdf.exe</td>\n",
       "      <td>147736</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T116E37B9C325071DFC8ABD0728EA91D74EA2034BB931B...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM...</td>\n",
       "      <td>d2e8ecb2b2a2b282</td>\n",
       "      <td>[exe, Loki]</td>\n",
       "      <td>None</td>\n",
       "      <td>122</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>f53a803c52691f8506f33d2719028822db93ae1799d0ba...</td>\n",
       "      <td>32b0422e11faafaa49f39f0df7b093cddeb316f5087134...</td>\n",
       "      <td>9b2c6fddac6ea6c27a2c5c25d515d389429703c0</td>\n",
       "      <td>4e416bdf228c332a60a4fc0d8326373f</td>\n",
       "      <td>2022-08-11 09:00:33</td>\n",
       "      <td>None</td>\n",
       "      <td>4e416bdf228c332a60a4fc0d8326373f.exe</td>\n",
       "      <td>207360</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T14514CF1677A98A2FE2DE85B8701246468379C2E3D8C3...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, NanoCore, RAT]</td>\n",
       "      <td>[Win.Dropper.Nancrat-9869495-0, Win.Dropper.Na...</td>\n",
       "      <td>145</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>ba66c7a46a35c1b38aa76a199ae19a65674786771b153e...</td>\n",
       "      <td>5983e487146283ae8c880a5c21b7ef989307d0a0327d59...</td>\n",
       "      <td>b340afd00d6feb4da15b9b10446417e51d3f7082</td>\n",
       "      <td>e6ae2071837c90e79a7f4c6e8e778f0f</td>\n",
       "      <td>2022-08-11 09:00:31</td>\n",
       "      <td>None</td>\n",
       "      <td>e6ae2071837c90e79a7f4c6e8e778f0f.exe</td>\n",
       "      <td>923829</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T18F15123962C1827BD1621A314D4BD3B3FD3ABA041B3C...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E...</td>\n",
       "      <td>b298acbab2ca7a72</td>\n",
       "      <td>[exe, recordbreaker]</td>\n",
       "      <td>[SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL]</td>\n",
       "      <td>133</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>93b24291abe4b2c7d3eebd64168cf86e5b36571bd30645...</td>\n",
       "      <td>bc79bfe7cf79004f707014cae678bb19a55a91402cc143...</td>\n",
       "      <td>92b194b6c75c6c2e8e693fca7f0c660fbcd70be5</td>\n",
       "      <td>76755f4c31240a6247689c0ffdc6e627</td>\n",
       "      <td>2022-08-11 08:45:49</td>\n",
       "      <td>None</td>\n",
       "      <td>AST_928765425672-09876353B.exe</td>\n",
       "      <td>864256</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T18805E79113A9EC11C97DBFF0295939B1C2F275C6A9AC...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:...</td>\n",
       "      <td>c496b2b8fcccacdc</td>\n",
       "      <td>[AgentTesla, exe]</td>\n",
       "      <td>None</td>\n",
       "      <td>175</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>08375457359c0439dde333b220071987d355b3a2b0aa9f...</td>\n",
       "      <td>ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b...</td>\n",
       "      <td>58133e441cebee95176aba75ef533a99af208758</td>\n",
       "      <td>bb2518245e5b20e35c7a22521be3b6fb</td>\n",
       "      <td>2022-08-11 08:45:38</td>\n",
       "      <td>None</td>\n",
       "      <td>MV TONIC_CTM REQUEST.exe</td>\n",
       "      <td>762368</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T136F4ADAFBA9C440ECC624B31E84C80B95FA5FCA17922...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, Loki]</td>\n",
       "      <td>[SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]</td>\n",
       "      <td>159</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6...</td>\n",
       "      <td>936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01...</td>\n",
       "      <td>cd8ddf4094ff130568ace0dfc578500213eb5be4</td>\n",
       "      <td>d3c1e94c64ce0e37e03af92f18067ea4</td>\n",
       "      <td>2022-08-11 08:40:28</td>\n",
       "      <td>None</td>\n",
       "      <td>d3c1e94c64ce0e37e03af92f18067ea4.exe</td>\n",
       "      <td>922983</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T1AC1512396281827BD1621A31494BD3B7FD3AB7041B3C...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E...</td>\n",
       "      <td>b298acbab2ca7a72</td>\n",
       "      <td>[exe, recordbreaker]</td>\n",
       "      <td>[SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL]</td>\n",
       "      <td>158</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 24 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  ce1e8e57264e84d75ed4960855768418c7a73707d0855d...   \n",
       "1  2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...   \n",
       "2  6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...   \n",
       "3  9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...   \n",
       "4  f2a4cc133dfeca5432bf22c2817aeb8edb434057711727...   \n",
       "5  f53a803c52691f8506f33d2719028822db93ae1799d0ba...   \n",
       "6  ba66c7a46a35c1b38aa76a199ae19a65674786771b153e...   \n",
       "7  93b24291abe4b2c7d3eebd64168cf86e5b36571bd30645...   \n",
       "8  08375457359c0439dde333b220071987d355b3a2b0aa9f...   \n",
       "9  f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  2945d468176ca3766e5982574652025887cdce34028f4c...   \n",
       "1  05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...   \n",
       "2  7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...   \n",
       "3  513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...   \n",
       "4  13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f...   \n",
       "5  32b0422e11faafaa49f39f0df7b093cddeb316f5087134...   \n",
       "6  5983e487146283ae8c880a5c21b7ef989307d0a0327d59...   \n",
       "7  bc79bfe7cf79004f707014cae678bb19a55a91402cc143...   \n",
       "8  ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b...   \n",
       "9  936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  7fd429ceb24c476a9b3796fe71961575e7637738  fea743ac96b30d64f914d491e802abc1   \n",
       "1  e03a9f658327fc96d774ae19d714add257a10d88  2f4a3782d2ab90126ff927026dac5077   \n",
       "2  69bf7182f7cd72ca775be7736b843345efbbdc0e  ca25cc1a0351513cbb0bb70343b03862   \n",
       "3  117b1e130cc2f2406b0f38d3b3677e4699f65214  57ecac082ee320cf94b2de1a0927a994   \n",
       "4  b1eedf6d0b197b0d743e60390864aa279f1f915a  b9694513a38e321b8cbfd807367b7e21   \n",
       "5  9b2c6fddac6ea6c27a2c5c25d515d389429703c0  4e416bdf228c332a60a4fc0d8326373f   \n",
       "6  b340afd00d6feb4da15b9b10446417e51d3f7082  e6ae2071837c90e79a7f4c6e8e778f0f   \n",
       "7  92b194b6c75c6c2e8e693fca7f0c660fbcd70be5  76755f4c31240a6247689c0ffdc6e627   \n",
       "8  58133e441cebee95176aba75ef533a99af208758  bb2518245e5b20e35c7a22521be3b6fb   \n",
       "9  cd8ddf4094ff130568ace0dfc578500213eb5be4  d3c1e94c64ce0e37e03af92f18067ea4   \n",
       "\n",
       "            first_seen last_seen  \\\n",
       "0  2022-08-11 09:22:06      None   \n",
       "1  2022-08-11 09:19:47      None   \n",
       "2  2022-08-11 09:19:27      None   \n",
       "3  2022-08-11 09:19:13      None   \n",
       "4  2022-08-11 09:15:26      None   \n",
       "5  2022-08-11 09:00:33      None   \n",
       "6  2022-08-11 09:00:31      None   \n",
       "7  2022-08-11 08:45:49      None   \n",
       "8  2022-08-11 08:45:38      None   \n",
       "9  2022-08-11 08:40:28      None   \n",
       "\n",
       "                                           file_name  file_size  \\\n",
       "0  Copia di pagamento-3400753232678_001-11.08.202...     625664   \n",
       "1                   2f4a3782d2ab90126ff927026dac5077     834560   \n",
       "2                   ca25cc1a0351513cbb0bb70343b03862     857600   \n",
       "3                   57ecac082ee320cf94b2de1a0927a994     879616   \n",
       "4                             Project sheets.pdf.exe     147736   \n",
       "5               4e416bdf228c332a60a4fc0d8326373f.exe     207360   \n",
       "6               e6ae2071837c90e79a7f4c6e8e778f0f.exe     923829   \n",
       "7                     AST_928765425672-09876353B.exe     864256   \n",
       "8                           MV TONIC_CTM REQUEST.exe     762368   \n",
       "9               d3c1e94c64ce0e37e03af92f18067ea4.exe     922983   \n",
       "\n",
       "          file_type_mime file_type  ...  \\\n",
       "0  application/x-dosexec       exe  ...   \n",
       "1  application/x-dosexec       exe  ...   \n",
       "2  application/x-dosexec       exe  ...   \n",
       "3  application/x-dosexec       exe  ...   \n",
       "4  application/x-dosexec       exe  ...   \n",
       "5  application/x-dosexec       exe  ...   \n",
       "6  application/x-dosexec       exe  ...   \n",
       "7  application/x-dosexec       exe  ...   \n",
       "8  application/x-dosexec       exe  ...   \n",
       "9  application/x-dosexec       exe  ...   \n",
       "\n",
       "                                                tlsh  telfhash gimphash  \\\n",
       "0  T178D4D02025AE7219E039BB7909D7706047F5F622DE1A...      None     None   \n",
       "1  T18D052344079587BCC9AE167C048142641338EB02B2B6...      None     None   \n",
       "2  T10105BEAF7E9C440ECC218B31E84C81B99FA5FDA17912...      None     None   \n",
       "3  T13315BFAFAB9C441FCC228B31E84C81B99FA5FC613922...      None     None   \n",
       "4  T116E37B9C325071DFC8ABD0728EA91D74EA2034BB931B...      None     None   \n",
       "5  T14514CF1677A98A2FE2DE85B8701246468379C2E3D8C3...      None     None   \n",
       "6  T18F15123962C1827BD1621A314D4BD3B3FD3ABA041B3C...      None     None   \n",
       "7  T18805E79113A9EC11C97DBFF0295939B1C2F275C6A9AC...      None     None   \n",
       "8  T136F4ADAFBA9C440ECC624B31E84C80B95FA5FCA17922...      None     None   \n",
       "9  T1AC1512396281827BD1621A31494BD3B7FD3AB7041B3C...      None     None   \n",
       "\n",
       "                                              ssdeep        dhash_icon  \\\n",
       "0  12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...  d4e2c8b4ccc8f2cc   \n",
       "1  12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...              None   \n",
       "2  12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...              None   \n",
       "3  24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...              None   \n",
       "4  3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM...  d2e8ecb2b2a2b282   \n",
       "5  3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs...              None   \n",
       "6  24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E...  b298acbab2ca7a72   \n",
       "7  12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:...  c496b2b8fcccacdc   \n",
       "8  12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC...              None   \n",
       "9  24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E...  b298acbab2ca7a72   \n",
       "\n",
       "                           tags  \\\n",
       "0             [AgentTesla, exe]   \n",
       "1  [32, exe, RemcosRAT, trojan]   \n",
       "2   [32, exe, FormBook, trojan]   \n",
       "3         [32, AgentTesla, exe]   \n",
       "4                   [exe, Loki]   \n",
       "5          [exe, NanoCore, RAT]   \n",
       "6          [exe, recordbreaker]   \n",
       "7             [AgentTesla, exe]   \n",
       "8                   [exe, Loki]   \n",
       "9          [exe, recordbreaker]   \n",
       "\n",
       "                                 intelligence.clamav intelligence.downloads  \\\n",
       "0                                               None                    119   \n",
       "1                                               None                    109   \n",
       "2     [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]                    101   \n",
       "3     [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]                    107   \n",
       "4                                               None                    122   \n",
       "5  [Win.Dropper.Nancrat-9869495-0, Win.Dropper.Na...                    145   \n",
       "6     [SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL]                    133   \n",
       "7                                               None                    175   \n",
       "8     [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]                    159   \n",
       "9     [SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL]                    158   \n",
       "\n",
       "  intelligence.uploads intelligence.mail  \n",
       "0                    1              None  \n",
       "1                    1              None  \n",
       "2                    1              None  \n",
       "3                    1              None  \n",
       "4                    1              None  \n",
       "5                    1              None  \n",
       "6                    1              None  \n",
       "7                    1              None  \n",
       "8                    1              None  \n",
       "9                    1              None  \n",
       "\n",
       "[10 rows x 24 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable='exe', mb_type='filetype', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Latest samples that matches Clamav signature \"Doc.Downloader.Emotet-7580152-0\""
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 7,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86...</td>\n",
       "      <td>9c1144395e4002f8dcf5f323846f133f069ac2bc6b5ede...</td>\n",
       "      <td>6546af75a7dfbdb3852edd1c248abe97942ce327</td>\n",
       "      <td>000abe09d01b60f777eec90fe14c431b</td>\n",
       "      <td>2020-03-29 08:17:18</td>\n",
       "      <td>2020-03-29 08:17:39</td>\n",
       "      <td>c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86...</td>\n",
       "      <td>208655</td>\n",
       "      <td>application/msword</td>\n",
       "      <td>docx</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgP76EOp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[autoexec, base64, hex, macros, ole]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Doc.Downloader.Emotet-7580152-0, Doc.Download...</td>\n",
       "      <td>101</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>10b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659...</td>\n",
       "      <td>42851417a263d6f87eab2aec15d3fcb912f1df4dd8fe87...</td>\n",
       "      <td>eab6c59c252d1737e2039d6414a7f87b50640abb</td>\n",
       "      <td>c2b47e5a02ac0c89e9ed854ae0cd565c</td>\n",
       "      <td>2020-03-29 08:16:39</td>\n",
       "      <td>2020-03-29 08:19:17</td>\n",
       "      <td>10b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659...</td>\n",
       "      <td>207740</td>\n",
       "      <td>application/msword</td>\n",
       "      <td>docx</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgJz6EOp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[autoexec, base64, hex, macros, ole]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Doc.Downloader.Emotet-7580152-0, Doc.Download...</td>\n",
       "      <td>98</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08...</td>\n",
       "      <td>c1605a7c42f38e2dd474f24c4828c19d58b9a5433b2c05...</td>\n",
       "      <td>0fb5d80e11e61ee842a7c1a7d2943a77ecbf42cf</td>\n",
       "      <td>08531ac8e995bfc4692cd0591e985734</td>\n",
       "      <td>2020-03-24 07:42:41</td>\n",
       "      <td>2020-03-29 08:18:05</td>\n",
       "      <td>bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08...</td>\n",
       "      <td>207295</td>\n",
       "      <td>application/msword</td>\n",
       "      <td>docx</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUggz6EOp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[autoexec, base64, hex, macros, ole]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Doc.Downloader.Emotet-7580152-0, Doc.Download...</td>\n",
       "      <td>90</td>\n",
       "      <td>3</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>542c29b3dfea261203a5c99b3657016a633a66231a82a9...</td>\n",
       "      <td>c54ebe98f5c9d9c800a11dd83622313e871ff72bd6a8ed...</td>\n",
       "      <td>8ffeeadd4f843f0070134d65a6b29e2ddbe66bc4</td>\n",
       "      <td>d7194984c4e923d1c59233bf0b640bf7</td>\n",
       "      <td>2020-03-24 07:41:27</td>\n",
       "      <td>None</td>\n",
       "      <td>542c29b3dfea261203a5c99b3657016a633a66231a82a9...</td>\n",
       "      <td>208657</td>\n",
       "      <td>application/msword</td>\n",
       "      <td>docx</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgvH6EOp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[autoexec, base64, Emotet, Heodo, hex, macros,...</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Doc.Downloader.Emotet-7580152-0, Doc.Download...</td>\n",
       "      <td>95</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>9e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26...</td>\n",
       "      <td>8a24530041c75ede2fe03f2d9c8103314ad65516219750...</td>\n",
       "      <td>fe1f0c74137e19db8d893a29afd75f227283593c</td>\n",
       "      <td>096000880d75f7f35acf59f533c58b77</td>\n",
       "      <td>2020-03-24 07:38:05</td>\n",
       "      <td>2020-03-29 08:13:48</td>\n",
       "      <td>9e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26...</td>\n",
       "      <td>208471</td>\n",
       "      <td>application/msword</td>\n",
       "      <td>docx</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgsz6EOp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[autoexec, base64, Emotet, Heodo, hex, macros,...</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Doc.Downloader.Emotet-7580152-0, Doc.Download...</td>\n",
       "      <td>94</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>5a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3...</td>\n",
       "      <td>cdb35169fb4be823e35b659fd21ebcdcf832125817e886...</td>\n",
       "      <td>9a687b92317df18848fd77f179fb34889f4e4a04</td>\n",
       "      <td>24f0c3737e9f5b5f37ebd2d97816ed17</td>\n",
       "      <td>2020-03-23 18:49:10</td>\n",
       "      <td>2020-03-29 08:19:52</td>\n",
       "      <td>5a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3...</td>\n",
       "      <td>208248</td>\n",
       "      <td>application/msword</td>\n",
       "      <td>docx</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUg2f6EOp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, Heodo]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Doc.Downloader.Emotet-7580152-0, Doc.Download...</td>\n",
       "      <td>75</td>\n",
       "      <td>3</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>6c9abcc36eabca228547b6478a2da6026d8c1874f8ba68...</td>\n",
       "      <td>2eb9a63f336aa5518f99ac7aa57bed6905e7c8440e4885...</td>\n",
       "      <td>4167167b821b2ac0718c68cfb6482bc58bca9d41</td>\n",
       "      <td>99fae99a021d5ef85291293f89c34f9a</td>\n",
       "      <td>2020-03-23 16:57:26</td>\n",
       "      <td>2020-03-23 18:55:47</td>\n",
       "      <td>6c9abcc36eabca228547b6478a2da6026d8c1874f8ba68...</td>\n",
       "      <td>207795</td>\n",
       "      <td>application/msword</td>\n",
       "      <td>docx</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgDH6EOp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Emotet, Heodo]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Doc.Downloader.Emotet-7580152-0, Doc.Download...</td>\n",
       "      <td>74</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>7 rows × 25 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86...   \n",
       "1  10b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659...   \n",
       "2  bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08...   \n",
       "3  542c29b3dfea261203a5c99b3657016a633a66231a82a9...   \n",
       "4  9e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26...   \n",
       "5  5a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3...   \n",
       "6  6c9abcc36eabca228547b6478a2da6026d8c1874f8ba68...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  9c1144395e4002f8dcf5f323846f133f069ac2bc6b5ede...   \n",
       "1  42851417a263d6f87eab2aec15d3fcb912f1df4dd8fe87...   \n",
       "2  c1605a7c42f38e2dd474f24c4828c19d58b9a5433b2c05...   \n",
       "3  c54ebe98f5c9d9c800a11dd83622313e871ff72bd6a8ed...   \n",
       "4  8a24530041c75ede2fe03f2d9c8103314ad65516219750...   \n",
       "5  cdb35169fb4be823e35b659fd21ebcdcf832125817e886...   \n",
       "6  2eb9a63f336aa5518f99ac7aa57bed6905e7c8440e4885...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  6546af75a7dfbdb3852edd1c248abe97942ce327  000abe09d01b60f777eec90fe14c431b   \n",
       "1  eab6c59c252d1737e2039d6414a7f87b50640abb  c2b47e5a02ac0c89e9ed854ae0cd565c   \n",
       "2  0fb5d80e11e61ee842a7c1a7d2943a77ecbf42cf  08531ac8e995bfc4692cd0591e985734   \n",
       "3  8ffeeadd4f843f0070134d65a6b29e2ddbe66bc4  d7194984c4e923d1c59233bf0b640bf7   \n",
       "4  fe1f0c74137e19db8d893a29afd75f227283593c  096000880d75f7f35acf59f533c58b77   \n",
       "5  9a687b92317df18848fd77f179fb34889f4e4a04  24f0c3737e9f5b5f37ebd2d97816ed17   \n",
       "6  4167167b821b2ac0718c68cfb6482bc58bca9d41  99fae99a021d5ef85291293f89c34f9a   \n",
       "\n",
       "            first_seen            last_seen  \\\n",
       "0  2020-03-29 08:17:18  2020-03-29 08:17:39   \n",
       "1  2020-03-29 08:16:39  2020-03-29 08:19:17   \n",
       "2  2020-03-24 07:42:41  2020-03-29 08:18:05   \n",
       "3  2020-03-24 07:41:27                 None   \n",
       "4  2020-03-24 07:38:05  2020-03-29 08:13:48   \n",
       "5  2020-03-23 18:49:10  2020-03-29 08:19:52   \n",
       "6  2020-03-23 16:57:26  2020-03-23 18:55:47   \n",
       "\n",
       "                                           file_name  file_size  \\\n",
       "0  c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86...     208655   \n",
       "1  10b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659...     207740   \n",
       "2  bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08...     207295   \n",
       "3  542c29b3dfea261203a5c99b3657016a633a66231a82a9...     208657   \n",
       "4  9e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26...     208471   \n",
       "5  5a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3...     208248   \n",
       "6  6c9abcc36eabca228547b6478a2da6026d8c1874f8ba68...     207795   \n",
       "\n",
       "       file_type_mime file_type  ... telfhash  gimphash  \\\n",
       "0  application/msword      docx  ...     None      None   \n",
       "1  application/msword      docx  ...     None      None   \n",
       "2  application/msword      docx  ...     None      None   \n",
       "3  application/msword      docx  ...     None      None   \n",
       "4  application/msword      docx  ...     None      None   \n",
       "5  application/msword      docx  ...     None      None   \n",
       "6  application/msword      docx  ...     None      None   \n",
       "\n",
       "                                              ssdeep dhash_icon  \\\n",
       "0  3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgP76EOp...       None   \n",
       "1  3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgJz6EOp...       None   \n",
       "2  3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUggz6EOp...       None   \n",
       "3  3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgvH6EOp...       None   \n",
       "4  3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgsz6EOp...       None   \n",
       "5  3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUg2f6EOp...       None   \n",
       "6  3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgDH6EOp...       None   \n",
       "\n",
       "                                                tags code_sign  \\\n",
       "0               [autoexec, base64, hex, macros, ole]        []   \n",
       "1               [autoexec, base64, hex, macros, ole]        []   \n",
       "2               [autoexec, base64, hex, macros, ole]        []   \n",
       "3  [autoexec, base64, Emotet, Heodo, hex, macros,...        []   \n",
       "4  [autoexec, base64, Emotet, Heodo, hex, macros,...        []   \n",
       "5                                    [Emotet, Heodo]        []   \n",
       "6                                    [Emotet, Heodo]        []   \n",
       "\n",
       "                                 intelligence.clamav intelligence.downloads  \\\n",
       "0  [Doc.Downloader.Emotet-7580152-0, Doc.Download...                    101   \n",
       "1  [Doc.Downloader.Emotet-7580152-0, Doc.Download...                     98   \n",
       "2  [Doc.Downloader.Emotet-7580152-0, Doc.Download...                     90   \n",
       "3  [Doc.Downloader.Emotet-7580152-0, Doc.Download...                     95   \n",
       "4  [Doc.Downloader.Emotet-7580152-0, Doc.Download...                     94   \n",
       "5  [Doc.Downloader.Emotet-7580152-0, Doc.Download...                     75   \n",
       "6  [Doc.Downloader.Emotet-7580152-0, Doc.Download...                     74   \n",
       "\n",
       "  intelligence.uploads intelligence.mail  \n",
       "0                    2              None  \n",
       "1                    2              None  \n",
       "2                    3              None  \n",
       "3                    1              None  \n",
       "4                    2              None  \n",
       "5                    3              None  \n",
       "6                    2              None  \n",
       "\n",
       "[7 rows x 25 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"Doc.Downloader.Emotet-7580152-0\", mb_type='clamav', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified imphash"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 8,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail.Generic</th>\n",
       "      <th>intelligence.mail.IT</th>\n",
       "      <th>intelligence.mail.CH</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>3335f6bcfb168bfad8fe8622f515ffc6e4e3b74c9bab6b...</td>\n",
       "      <td>4978e72d546964948d4836970991611f4890f1aaea6181...</td>\n",
       "      <td>190122935eafdbf0d1c5b0a7c86cb24c04aee308</td>\n",
       "      <td>0d0faa3ffb8ea5d041d2dd24b544d2b1</td>\n",
       "      <td>2020-07-24 09:18:30</td>\n",
       "      <td>None</td>\n",
       "      <td>File 2.exe</td>\n",
       "      <td>809472</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:zRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLO...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, Loki]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>71</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>97938446027c2f5c4c5eeebff3b37cb3812da2fe45f092...</td>\n",
       "      <td>553a03ed1ba38c7604dfa2a421371b6f3e9e0576f12735...</td>\n",
       "      <td>9979b550d2414f1e97d51b44116ae4fb14ea9265</td>\n",
       "      <td>943c81115f3e9d31fd1ef58690d46acc</td>\n",
       "      <td>2020-07-23 13:49:30</td>\n",
       "      <td>None</td>\n",
       "      <td>commercial invoice + packing list.exe</td>\n",
       "      <td>744960</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:yRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK...</td>\n",
       "      <td>None</td>\n",
       "      <td>[AgentTesla, exe]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>74</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>14a985c4f8b469d858f155c59618c45365a0a7b87a73d9...</td>\n",
       "      <td>a59bfde721bd0409e1436c059d1873ec702e7000eab8a7...</td>\n",
       "      <td>5ce575f5ef1611f3594675f593c582a9ff6b356f</td>\n",
       "      <td>a32ac4f5fba2b7224e68d6ad9bfbc2e0</td>\n",
       "      <td>2020-07-22 10:58:06</td>\n",
       "      <td>None</td>\n",
       "      <td>Shipping Document VESSEL SCHEDULE.exe</td>\n",
       "      <td>626688</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:QRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLt...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, Loki]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>83</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>612a1123c2ca0a0c3f077aa506b48cfbbeb815c1c026b8...</td>\n",
       "      <td>cffb01732f112ad64d2da07c03377f47501d92f75e8e5d...</td>\n",
       "      <td>3303e4acce086996bec36fd46ad396e01960820a</td>\n",
       "      <td>55aaee46446d832abbad8ed6bde21085</td>\n",
       "      <td>2020-07-22 10:44:20</td>\n",
       "      <td>None</td>\n",
       "      <td>1014-07222020.exe</td>\n",
       "      <td>730112</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:HRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLp...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, NanoCore, nVpn, RAT]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>85</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>45b7e7e404b6cd8eaca7798b5977fe17cae6a261e45d6a...</td>\n",
       "      <td>076bdaf9a9578bb2ea4cdbc5de2485fc81dd539b9ddda9...</td>\n",
       "      <td>6a7b3c48b240e8566aa53d73d75d438856015e0a</td>\n",
       "      <td>cd0a2bd06bdbf4047a3d4f01227cb5b5</td>\n",
       "      <td>2020-07-22 10:42:42</td>\n",
       "      <td>None</td>\n",
       "      <td>Ordine nÂ° 2000837220720.exe</td>\n",
       "      <td>729088</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:PRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK...</td>\n",
       "      <td>None</td>\n",
       "      <td>[AgentTesla, exe]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>83</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>585dbee4540fb6bf72116be77c1902ef1c1a716a70b491...</td>\n",
       "      <td>1a04194b0ad44ddeb25b7d155ce59429fa3eaed4f83547...</td>\n",
       "      <td>7ae1b49f968d668faded948c1c674011af4d95a0</td>\n",
       "      <td>ec1de4028f8a2f58111370668da35a39</td>\n",
       "      <td>2020-07-22 10:15:11</td>\n",
       "      <td>None</td>\n",
       "      <td>Factura Adiego.exe</td>\n",
       "      <td>829440</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:5RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqL2...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, NanoCore, nVpn, RAT]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>87</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>4dd2b414c77ad5e60685dd8afbb92d5bf6e3ed11edfa36...</td>\n",
       "      <td>d2c6de54c4357e3df26c370a252c4887b5ab447d02470f...</td>\n",
       "      <td>f3dbd99925f98b225ff23a799001495d04097bce</td>\n",
       "      <td>bd66883c753dde3a74f14e8b5ff9f163</td>\n",
       "      <td>2020-07-22 10:13:47</td>\n",
       "      <td>None</td>\n",
       "      <td>Solicitud de presupuesto 009876.exe</td>\n",
       "      <td>737280</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:KRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ...</td>\n",
       "      <td>None</td>\n",
       "      <td>[AgentTesla, exe]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>82</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>52e864374ebb34727b88f278970946520a53383c0b7e85...</td>\n",
       "      <td>f1558f950057bb5cb78df801b8b80ec3670cf0841cd837...</td>\n",
       "      <td>acbdf5ae0b8b73d8203f52b1e104205ac39432d6</td>\n",
       "      <td>2e0754487143853f2791b729f2222146</td>\n",
       "      <td>2020-07-22 10:11:26</td>\n",
       "      <td>None</td>\n",
       "      <td>Product Inquiry.exe</td>\n",
       "      <td>1161216</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:O0B4U+Qo5Ph4ZWkQ5egqLEYctMqp0l7IQVDtyqkx...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, MassLogger]</td>\n",
       "      <td>[SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF...</td>\n",
       "      <td>76</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>26e7e2592001dcae03d24805daf839378a61263b2aab7a...</td>\n",
       "      <td>f69e210ee6c857145684a95b98f0647538804322d10078...</td>\n",
       "      <td>d1fd550d804bf18c3cebfc9e0839d1f4667ff9b7</td>\n",
       "      <td>d90a279bbb5237ed268a6d2f1b7ff435</td>\n",
       "      <td>2020-07-22 10:10:49</td>\n",
       "      <td>2020-07-22 14:26:26</td>\n",
       "      <td>Shipping Documents.exe</td>\n",
       "      <td>726016</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:3RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ...</td>\n",
       "      <td>None</td>\n",
       "      <td>[AgentTesla, exe]</td>\n",
       "      <td>[PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...</td>\n",
       "      <td>78</td>\n",
       "      <td>2</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>0de023c805c4aabdc9dab70f5660298017276e1a14ca05...</td>\n",
       "      <td>81c3e6882ad0adbba0e816a99627d4c7b0eb6c341091cc...</td>\n",
       "      <td>536dc660173b996bc930e9d6a8e1885af58af181</td>\n",
       "      <td>6df4fddd3267ebfec3f7bd6f9101afa0</td>\n",
       "      <td>2020-07-22 10:10:39</td>\n",
       "      <td>None</td>\n",
       "      <td>IMG-00120200721_0099991.xls.exe</td>\n",
       "      <td>1159680</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:u0B4U+Qo5Ph4ZWkQ5egqLk8FH5k4LbIkcYcZpRqQ...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, geo, MassLogger, TUR]</td>\n",
       "      <td>[SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF...</td>\n",
       "      <td>78</td>\n",
       "      <td>1</td>\n",
       "      <td>low</td>\n",
       "      <td>NaN</td>\n",
       "      <td>low</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 26 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  3335f6bcfb168bfad8fe8622f515ffc6e4e3b74c9bab6b...   \n",
       "1  97938446027c2f5c4c5eeebff3b37cb3812da2fe45f092...   \n",
       "2  14a985c4f8b469d858f155c59618c45365a0a7b87a73d9...   \n",
       "3  612a1123c2ca0a0c3f077aa506b48cfbbeb815c1c026b8...   \n",
       "4  45b7e7e404b6cd8eaca7798b5977fe17cae6a261e45d6a...   \n",
       "5  585dbee4540fb6bf72116be77c1902ef1c1a716a70b491...   \n",
       "6  4dd2b414c77ad5e60685dd8afbb92d5bf6e3ed11edfa36...   \n",
       "7  52e864374ebb34727b88f278970946520a53383c0b7e85...   \n",
       "8  26e7e2592001dcae03d24805daf839378a61263b2aab7a...   \n",
       "9  0de023c805c4aabdc9dab70f5660298017276e1a14ca05...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  4978e72d546964948d4836970991611f4890f1aaea6181...   \n",
       "1  553a03ed1ba38c7604dfa2a421371b6f3e9e0576f12735...   \n",
       "2  a59bfde721bd0409e1436c059d1873ec702e7000eab8a7...   \n",
       "3  cffb01732f112ad64d2da07c03377f47501d92f75e8e5d...   \n",
       "4  076bdaf9a9578bb2ea4cdbc5de2485fc81dd539b9ddda9...   \n",
       "5  1a04194b0ad44ddeb25b7d155ce59429fa3eaed4f83547...   \n",
       "6  d2c6de54c4357e3df26c370a252c4887b5ab447d02470f...   \n",
       "7  f1558f950057bb5cb78df801b8b80ec3670cf0841cd837...   \n",
       "8  f69e210ee6c857145684a95b98f0647538804322d10078...   \n",
       "9  81c3e6882ad0adbba0e816a99627d4c7b0eb6c341091cc...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  190122935eafdbf0d1c5b0a7c86cb24c04aee308  0d0faa3ffb8ea5d041d2dd24b544d2b1   \n",
       "1  9979b550d2414f1e97d51b44116ae4fb14ea9265  943c81115f3e9d31fd1ef58690d46acc   \n",
       "2  5ce575f5ef1611f3594675f593c582a9ff6b356f  a32ac4f5fba2b7224e68d6ad9bfbc2e0   \n",
       "3  3303e4acce086996bec36fd46ad396e01960820a  55aaee46446d832abbad8ed6bde21085   \n",
       "4  6a7b3c48b240e8566aa53d73d75d438856015e0a  cd0a2bd06bdbf4047a3d4f01227cb5b5   \n",
       "5  7ae1b49f968d668faded948c1c674011af4d95a0  ec1de4028f8a2f58111370668da35a39   \n",
       "6  f3dbd99925f98b225ff23a799001495d04097bce  bd66883c753dde3a74f14e8b5ff9f163   \n",
       "7  acbdf5ae0b8b73d8203f52b1e104205ac39432d6  2e0754487143853f2791b729f2222146   \n",
       "8  d1fd550d804bf18c3cebfc9e0839d1f4667ff9b7  d90a279bbb5237ed268a6d2f1b7ff435   \n",
       "9  536dc660173b996bc930e9d6a8e1885af58af181  6df4fddd3267ebfec3f7bd6f9101afa0   \n",
       "\n",
       "            first_seen            last_seen  \\\n",
       "0  2020-07-24 09:18:30                 None   \n",
       "1  2020-07-23 13:49:30                 None   \n",
       "2  2020-07-22 10:58:06                 None   \n",
       "3  2020-07-22 10:44:20                 None   \n",
       "4  2020-07-22 10:42:42                 None   \n",
       "5  2020-07-22 10:15:11                 None   \n",
       "6  2020-07-22 10:13:47                 None   \n",
       "7  2020-07-22 10:11:26                 None   \n",
       "8  2020-07-22 10:10:49  2020-07-22 14:26:26   \n",
       "9  2020-07-22 10:10:39                 None   \n",
       "\n",
       "                               file_name  file_size         file_type_mime  \\\n",
       "0                             File 2.exe     809472  application/x-dosexec   \n",
       "1  commercial invoice + packing list.exe     744960  application/x-dosexec   \n",
       "2  Shipping Document VESSEL SCHEDULE.exe     626688  application/x-dosexec   \n",
       "3                      1014-07222020.exe     730112  application/x-dosexec   \n",
       "4           Ordine nÂ° 2000837220720.exe     729088  application/x-dosexec   \n",
       "5                     Factura Adiego.exe     829440  application/x-dosexec   \n",
       "6    Solicitud de presupuesto 009876.exe     737280  application/x-dosexec   \n",
       "7                    Product Inquiry.exe    1161216  application/x-dosexec   \n",
       "8                 Shipping Documents.exe     726016  application/x-dosexec   \n",
       "9        IMG-00120200721_0099991.xls.exe    1159680  application/x-dosexec   \n",
       "\n",
       "  file_type  ... gimphash                                             ssdeep  \\\n",
       "0       exe  ...     None  12288:zRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLO...   \n",
       "1       exe  ...     None  12288:yRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK...   \n",
       "2       exe  ...     None  12288:QRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLt...   \n",
       "3       exe  ...     None  12288:HRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLp...   \n",
       "4       exe  ...     None  12288:PRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK...   \n",
       "5       exe  ...     None  12288:5RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqL2...   \n",
       "6       exe  ...     None  12288:KRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ...   \n",
       "7       exe  ...     None  24576:O0B4U+Qo5Ph4ZWkQ5egqLEYctMqp0l7IQVDtyqkx...   \n",
       "8       exe  ...     None  12288:3RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ...   \n",
       "9       exe  ...     None  24576:u0B4U+Qo5Ph4ZWkQ5egqLk8FH5k4LbIkcYcZpRqQ...   \n",
       "\n",
       "  dhash_icon                         tags  \\\n",
       "0       None                  [exe, Loki]   \n",
       "1       None            [AgentTesla, exe]   \n",
       "2       None                  [exe, Loki]   \n",
       "3       None   [exe, NanoCore, nVpn, RAT]   \n",
       "4       None            [AgentTesla, exe]   \n",
       "5       None   [exe, NanoCore, nVpn, RAT]   \n",
       "6       None            [AgentTesla, exe]   \n",
       "7       None            [exe, MassLogger]   \n",
       "8       None            [AgentTesla, exe]   \n",
       "9       None  [exe, geo, MassLogger, TUR]   \n",
       "\n",
       "                                 intelligence.clamav intelligence.downloads  \\\n",
       "0  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     71   \n",
       "1  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     74   \n",
       "2  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     83   \n",
       "3  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     85   \n",
       "4  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     83   \n",
       "5  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     87   \n",
       "6  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     82   \n",
       "7  [SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF...                     76   \n",
       "8  [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...                     78   \n",
       "9  [SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF...                     78   \n",
       "\n",
       "  intelligence.uploads intelligence.mail.Generic intelligence.mail.IT  \\\n",
       "0                    1                       low                  NaN   \n",
       "1                    1                       low                  NaN   \n",
       "2                    1                       low                  NaN   \n",
       "3                    1                       low                  NaN   \n",
       "4                    1                       low                  low   \n",
       "5                    1                       low                  NaN   \n",
       "6                    1                       low                  NaN   \n",
       "7                    1                       low                  NaN   \n",
       "8                    2                       low                  NaN   \n",
       "9                    1                       low                  NaN   \n",
       "\n",
       "  intelligence.mail.CH  \n",
       "0                  NaN  \n",
       "1                  NaN  \n",
       "2                  NaN  \n",
       "3                  NaN  \n",
       "4                  NaN  \n",
       "5                  NaN  \n",
       "6                  NaN  \n",
       "7                  NaN  \n",
       "8                  NaN  \n",
       "9                  low  \n",
       "\n",
       "[10 rows x 26 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"45d579faec0eaf279c0841b2233727cf\", mb_type='imphash', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified icon dhash"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 9,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>5c7376642ae772ebc0e2363467174c4f83c111a98b3658...</td>\n",
       "      <td>8a4ff9a844323ca6e311b023fd0ddf9f1afa7a63323aa8...</td>\n",
       "      <td>318989d3c23db978109546b586d0a0b3e496843a</td>\n",
       "      <td>c69936d8205c54b3fa75e79aa3abe2a7</td>\n",
       "      <td>2021-08-30 12:25:47</td>\n",
       "      <td>None</td>\n",
       "      <td>5C7376642AE772EBC0E2363467174C4F83C111A98B365.exe</td>\n",
       "      <td>477184</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T19AA401127A90C432C4961A344936E7B05BBABD7159B4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:7VXoa6rJsXSlvYdyBYlQahhyvuAsjSD/HOaj+M/le...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RaccoonStealer]</td>\n",
       "      <td>[Win.Dropper.Zusy-9876039-0, Win.Packed.Generi...</td>\n",
       "      <td>88</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>f5ce1abb61275e3402f49f48e8094bd2aa038f03845c41...</td>\n",
       "      <td>cedb0010f5eed344afdd71e43a65201dbf66b881934daf...</td>\n",
       "      <td>9a14d82d40df41a76b2bbc7e6666a6356f847ca4</td>\n",
       "      <td>f955a4e61c68b3468602f18ab469c46e</td>\n",
       "      <td>2021-07-31 04:15:39</td>\n",
       "      <td>None</td>\n",
       "      <td>f955a4e61c68b3468602f18ab469c46e.exe</td>\n",
       "      <td>539136</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T135B4F160FAB0C872C0E4053188E5C5A5262DBC257960...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:zMlg7xejJLjVFT87j9ycfUgso52VnSAUiix0PelGO...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RaccoonStealer]</td>\n",
       "      <td>[Win.Malware.Filerepmetagen-9881079-0, Win.Mal...</td>\n",
       "      <td>552</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>5b74ce1d96a51a2083e32854851ac5152bca49293c4a59...</td>\n",
       "      <td>5c268e08a5be03dab7edb452c4ef32b664cbf174dd1147...</td>\n",
       "      <td>ab710e4811d11d68ca5505a0408ebed17760a5b8</td>\n",
       "      <td>d5e720a7076622dfbd3609642cac5c03</td>\n",
       "      <td>2021-07-25 20:55:55</td>\n",
       "      <td>None</td>\n",
       "      <td>ab710e4811d11d68ca5505a0408ebed17760a5b8.exe</td>\n",
       "      <td>311808</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T12564E011FEB1C832D4550A7148E6C664672DB821FB70...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:EG0NJtV7zMcepWlFYr4TXFQ3Rl41XwcVBPAn:h0NJ...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RedLineStealer]</td>\n",
       "      <td>[Win.Packed.Raccoon-9881206-0]</td>\n",
       "      <td>160</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>bf53b4b404f09c51fc30b4e683f5258b8172e0698ec618...</td>\n",
       "      <td>b578616eceac5f11bb16752b2fbecadd037e2898ee69e2...</td>\n",
       "      <td>4d6304391e16baa517f219ee644b4227fe2b2a65</td>\n",
       "      <td>f4ad2cb7d4d6b02b1debf1d41849b71e</td>\n",
       "      <td>2021-07-25 16:41:16</td>\n",
       "      <td>None</td>\n",
       "      <td>f4ad2cb7d4d6b02b1debf1d41849b71e.exe</td>\n",
       "      <td>504320</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T1C4B41239B2A0C471D81104315CE7CB95AEAE7C3B6A7C...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:Ek9mTKSLL6cUQalEKi4WMhx+/YhZCOc7BlYh8wOES...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RaccoonStealer]</td>\n",
       "      <td>[Win.Malware.Generic-9880784-0, Win.Malware.Ge...</td>\n",
       "      <td>163</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>6b01154004b3baac2cc7701d8319f4cc7a7ef361e02937...</td>\n",
       "      <td>3b2441005a98b394e393db6bb6c869fb1e61e9af0afe88...</td>\n",
       "      <td>ad5f75c5f9471a80a42ddd517af33eac080694e6</td>\n",
       "      <td>ae428d94143f5ccba46a5f839074eca9</td>\n",
       "      <td>2021-07-25 11:41:14</td>\n",
       "      <td>None</td>\n",
       "      <td>ae428d94143f5ccba46a5f839074eca9.exe</td>\n",
       "      <td>504320</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T1A2B40213B680D473C25119310CE3CA79677DA96E1D38...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:aj0qGutOATlQtEo35BFVrfkpZCq//GVn/5c1ypYJ...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RaccoonStealer]</td>\n",
       "      <td>[Win.Malware.Generic-9880784-0, Win.Malware.Ge...</td>\n",
       "      <td>171</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>4acbafb8a79411abf461bc4ebe4ad1efe4abe663adcd79...</td>\n",
       "      <td>d81df14267a306a36649d233e3d07b2166f0345ba26c26...</td>\n",
       "      <td>ca764bbc548407d20f0a465aad48879b405658f1</td>\n",
       "      <td>200f4423e9f93a1b71a5ef368ba5919f</td>\n",
       "      <td>2021-07-25 05:51:35</td>\n",
       "      <td>2021-07-25 07:03:21</td>\n",
       "      <td>200f4423e9f93a1b71a5ef368ba5919f.exe</td>\n",
       "      <td>525824</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T1B1B40154FA71EC32C094087444F5E6A1763CA826B955...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:OlahFbdTbwPjfEmNYYsVWQMkFmqiBPAi:OlahFb1...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RaccoonStealer]</td>\n",
       "      <td>[SecuriteInfo.com.W32.AIDetect.malware1.2062.2...</td>\n",
       "      <td>141</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>a6b60d3eaf83eb41ef1a22617ce085d5560f0768728a47...</td>\n",
       "      <td>4e94ecf58933955276e1a273d03534d3ce9b8c06649f9b...</td>\n",
       "      <td>fceff8fecbbe296d2b1fc4ed0dd4cd435704d259</td>\n",
       "      <td>4b6f1e1c7508808132fa6da57ba4f703</td>\n",
       "      <td>2021-07-24 17:00:56</td>\n",
       "      <td>None</td>\n",
       "      <td>4b6f1e1c7508808132fa6da57ba4f703.exe</td>\n",
       "      <td>504832</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T14AB40264B190C472E0915A315CE3C752AABEBC75AD7D...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:/s1URJ/dBZ9f9pVpu6TPS57m8+/p/228pv17ZtCmK...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RaccoonStealer]</td>\n",
       "      <td>[Win.Malware.Generic-9880784-0, Win.Malware.Ge...</td>\n",
       "      <td>127</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>b1e70a6920b93d6df9e7bf189d43378b5e449beedcf65f...</td>\n",
       "      <td>4fa22011a026a385024eafeb277110072482c205c2b1fa...</td>\n",
       "      <td>a522645953d3992521b8ce13d5136ff8199de7bd</td>\n",
       "      <td>1ef23731d98d4f68020f8266876a8746</td>\n",
       "      <td>2021-07-24 17:00:53</td>\n",
       "      <td>None</td>\n",
       "      <td>1ef23731d98d4f68020f8266876a8746.exe</td>\n",
       "      <td>504832</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T113B41220F261C873D5A416315CE3C7D5AEAFEC3149A8...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:YOC33JJPtpjz8u6dQDyushZ4H2D5ZyEqL:JC33vP...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, RaccoonStealer]</td>\n",
       "      <td>[Win.Malware.Generic-9880784-0, Win.Malware.Ge...</td>\n",
       "      <td>128</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>4bf2dace8a23551a3cd374a14b68cef6185aa18f9148da...</td>\n",
       "      <td>15e9c270e925de997a7a8bccd0267f902130801e954d87...</td>\n",
       "      <td>fdc030df123e6e6a712cbc960a2e7c63266bf040</td>\n",
       "      <td>0b862b9c889d4bdc6f0bac7d702d8753</td>\n",
       "      <td>2021-07-24 10:59:30</td>\n",
       "      <td>2021-07-24 11:49:58</td>\n",
       "      <td>0b862b9c889d4bdc6f0bac7d702d8753</td>\n",
       "      <td>805888</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T1F1051260FAB0CC32C4840A7859F6C6A5262DFC667B70...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:reKt4RjnJ+wWEr55fRue+cfxiskJM0BPA:rORdGA...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[32, exe, TeamBot]</td>\n",
       "      <td>[SecuriteInfo.com.W32.AIDetect.malware2.23336....</td>\n",
       "      <td>145</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>3ad13fd7968f9574d2c822e579291c77a0c525991cfb78...</td>\n",
       "      <td>f6ccb0d1c911bea5cd76f893fd9ed9b15a5e651d9f2268...</td>\n",
       "      <td>4412581e1e3e21494b2e8311e9a3690f684a743c</td>\n",
       "      <td>4ef58d8885410f6befd97f5536756ef4</td>\n",
       "      <td>2021-07-24 07:05:56</td>\n",
       "      <td>2021-07-24 07:55:34</td>\n",
       "      <td>4ef58d8885410f6befd97f5536756ef4.exe</td>\n",
       "      <td>4625448</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T1FF26338CFAB2C9B3C84504B186DD8328636FE8523C78...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>98304:I+tu+wI9bpk/h60fb5FX6oWhkwQVNN0cMVNr9wu:...</td>\n",
       "      <td>48b9b2b0e8c18c90</td>\n",
       "      <td>[exe, Glupteba]</td>\n",
       "      <td>[SecuriteInfo.com.Trojan.GenericKD.46673241.17...</td>\n",
       "      <td>292</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 24 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  5c7376642ae772ebc0e2363467174c4f83c111a98b3658...   \n",
       "1  f5ce1abb61275e3402f49f48e8094bd2aa038f03845c41...   \n",
       "2  5b74ce1d96a51a2083e32854851ac5152bca49293c4a59...   \n",
       "3  bf53b4b404f09c51fc30b4e683f5258b8172e0698ec618...   \n",
       "4  6b01154004b3baac2cc7701d8319f4cc7a7ef361e02937...   \n",
       "5  4acbafb8a79411abf461bc4ebe4ad1efe4abe663adcd79...   \n",
       "6  a6b60d3eaf83eb41ef1a22617ce085d5560f0768728a47...   \n",
       "7  b1e70a6920b93d6df9e7bf189d43378b5e449beedcf65f...   \n",
       "8  4bf2dace8a23551a3cd374a14b68cef6185aa18f9148da...   \n",
       "9  3ad13fd7968f9574d2c822e579291c77a0c525991cfb78...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  8a4ff9a844323ca6e311b023fd0ddf9f1afa7a63323aa8...   \n",
       "1  cedb0010f5eed344afdd71e43a65201dbf66b881934daf...   \n",
       "2  5c268e08a5be03dab7edb452c4ef32b664cbf174dd1147...   \n",
       "3  b578616eceac5f11bb16752b2fbecadd037e2898ee69e2...   \n",
       "4  3b2441005a98b394e393db6bb6c869fb1e61e9af0afe88...   \n",
       "5  d81df14267a306a36649d233e3d07b2166f0345ba26c26...   \n",
       "6  4e94ecf58933955276e1a273d03534d3ce9b8c06649f9b...   \n",
       "7  4fa22011a026a385024eafeb277110072482c205c2b1fa...   \n",
       "8  15e9c270e925de997a7a8bccd0267f902130801e954d87...   \n",
       "9  f6ccb0d1c911bea5cd76f893fd9ed9b15a5e651d9f2268...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  318989d3c23db978109546b586d0a0b3e496843a  c69936d8205c54b3fa75e79aa3abe2a7   \n",
       "1  9a14d82d40df41a76b2bbc7e6666a6356f847ca4  f955a4e61c68b3468602f18ab469c46e   \n",
       "2  ab710e4811d11d68ca5505a0408ebed17760a5b8  d5e720a7076622dfbd3609642cac5c03   \n",
       "3  4d6304391e16baa517f219ee644b4227fe2b2a65  f4ad2cb7d4d6b02b1debf1d41849b71e   \n",
       "4  ad5f75c5f9471a80a42ddd517af33eac080694e6  ae428d94143f5ccba46a5f839074eca9   \n",
       "5  ca764bbc548407d20f0a465aad48879b405658f1  200f4423e9f93a1b71a5ef368ba5919f   \n",
       "6  fceff8fecbbe296d2b1fc4ed0dd4cd435704d259  4b6f1e1c7508808132fa6da57ba4f703   \n",
       "7  a522645953d3992521b8ce13d5136ff8199de7bd  1ef23731d98d4f68020f8266876a8746   \n",
       "8  fdc030df123e6e6a712cbc960a2e7c63266bf040  0b862b9c889d4bdc6f0bac7d702d8753   \n",
       "9  4412581e1e3e21494b2e8311e9a3690f684a743c  4ef58d8885410f6befd97f5536756ef4   \n",
       "\n",
       "            first_seen            last_seen  \\\n",
       "0  2021-08-30 12:25:47                 None   \n",
       "1  2021-07-31 04:15:39                 None   \n",
       "2  2021-07-25 20:55:55                 None   \n",
       "3  2021-07-25 16:41:16                 None   \n",
       "4  2021-07-25 11:41:14                 None   \n",
       "5  2021-07-25 05:51:35  2021-07-25 07:03:21   \n",
       "6  2021-07-24 17:00:56                 None   \n",
       "7  2021-07-24 17:00:53                 None   \n",
       "8  2021-07-24 10:59:30  2021-07-24 11:49:58   \n",
       "9  2021-07-24 07:05:56  2021-07-24 07:55:34   \n",
       "\n",
       "                                           file_name  file_size  \\\n",
       "0  5C7376642AE772EBC0E2363467174C4F83C111A98B365.exe     477184   \n",
       "1               f955a4e61c68b3468602f18ab469c46e.exe     539136   \n",
       "2       ab710e4811d11d68ca5505a0408ebed17760a5b8.exe     311808   \n",
       "3               f4ad2cb7d4d6b02b1debf1d41849b71e.exe     504320   \n",
       "4               ae428d94143f5ccba46a5f839074eca9.exe     504320   \n",
       "5               200f4423e9f93a1b71a5ef368ba5919f.exe     525824   \n",
       "6               4b6f1e1c7508808132fa6da57ba4f703.exe     504832   \n",
       "7               1ef23731d98d4f68020f8266876a8746.exe     504832   \n",
       "8                   0b862b9c889d4bdc6f0bac7d702d8753     805888   \n",
       "9               4ef58d8885410f6befd97f5536756ef4.exe    4625448   \n",
       "\n",
       "          file_type_mime file_type  ...  \\\n",
       "0  application/x-dosexec       exe  ...   \n",
       "1  application/x-dosexec       exe  ...   \n",
       "2  application/x-dosexec       exe  ...   \n",
       "3  application/x-dosexec       exe  ...   \n",
       "4  application/x-dosexec       exe  ...   \n",
       "5  application/x-dosexec       exe  ...   \n",
       "6  application/x-dosexec       exe  ...   \n",
       "7  application/x-dosexec       exe  ...   \n",
       "8  application/x-dosexec       exe  ...   \n",
       "9  application/x-dosexec       exe  ...   \n",
       "\n",
       "                                                tlsh  telfhash gimphash  \\\n",
       "0  T19AA401127A90C432C4961A344936E7B05BBABD7159B4...      None     None   \n",
       "1  T135B4F160FAB0C872C0E4053188E5C5A5262DBC257960...      None     None   \n",
       "2  T12564E011FEB1C832D4550A7148E6C664672DB821FB70...      None     None   \n",
       "3  T1C4B41239B2A0C471D81104315CE7CB95AEAE7C3B6A7C...      None     None   \n",
       "4  T1A2B40213B680D473C25119310CE3CA79677DA96E1D38...      None     None   \n",
       "5  T1B1B40154FA71EC32C094087444F5E6A1763CA826B955...      None     None   \n",
       "6  T14AB40264B190C472E0915A315CE3C752AABEBC75AD7D...      None     None   \n",
       "7  T113B41220F261C873D5A416315CE3C7D5AEAFEC3149A8...      None     None   \n",
       "8  T1F1051260FAB0CC32C4840A7859F6C6A5262DFC667B70...      None     None   \n",
       "9  T1FF26338CFAB2C9B3C84504B186DD8328636FE8523C78...      None     None   \n",
       "\n",
       "                                              ssdeep        dhash_icon  \\\n",
       "0  6144:7VXoa6rJsXSlvYdyBYlQahhyvuAsjSD/HOaj+M/le...  48b9b2b0e8c18c90   \n",
       "1  6144:zMlg7xejJLjVFT87j9ycfUgso52VnSAUiix0PelGO...  48b9b2b0e8c18c90   \n",
       "2  6144:EG0NJtV7zMcepWlFYr4TXFQ3Rl41XwcVBPAn:h0NJ...  48b9b2b0e8c18c90   \n",
       "3  6144:Ek9mTKSLL6cUQalEKi4WMhx+/YhZCOc7BlYh8wOES...  48b9b2b0e8c18c90   \n",
       "4  12288:aj0qGutOATlQtEo35BFVrfkpZCq//GVn/5c1ypYJ...  48b9b2b0e8c18c90   \n",
       "5  12288:OlahFbdTbwPjfEmNYYsVWQMkFmqiBPAi:OlahFb1...  48b9b2b0e8c18c90   \n",
       "6  6144:/s1URJ/dBZ9f9pVpu6TPS57m8+/p/228pv17ZtCmK...  48b9b2b0e8c18c90   \n",
       "7  12288:YOC33JJPtpjz8u6dQDyushZ4H2D5ZyEqL:JC33vP...  48b9b2b0e8c18c90   \n",
       "8  24576:reKt4RjnJ+wWEr55fRue+cfxiskJM0BPA:rORdGA...  48b9b2b0e8c18c90   \n",
       "9  98304:I+tu+wI9bpk/h60fb5FX6oWhkwQVNN0cMVNr9wu:...  48b9b2b0e8c18c90   \n",
       "\n",
       "                    tags                                intelligence.clamav  \\\n",
       "0  [exe, RaccoonStealer]  [Win.Dropper.Zusy-9876039-0, Win.Packed.Generi...   \n",
       "1  [exe, RaccoonStealer]  [Win.Malware.Filerepmetagen-9881079-0, Win.Mal...   \n",
       "2  [exe, RedLineStealer]                     [Win.Packed.Raccoon-9881206-0]   \n",
       "3  [exe, RaccoonStealer]  [Win.Malware.Generic-9880784-0, Win.Malware.Ge...   \n",
       "4  [exe, RaccoonStealer]  [Win.Malware.Generic-9880784-0, Win.Malware.Ge...   \n",
       "5  [exe, RaccoonStealer]  [SecuriteInfo.com.W32.AIDetect.malware1.2062.2...   \n",
       "6  [exe, RaccoonStealer]  [Win.Malware.Generic-9880784-0, Win.Malware.Ge...   \n",
       "7  [exe, RaccoonStealer]  [Win.Malware.Generic-9880784-0, Win.Malware.Ge...   \n",
       "8     [32, exe, TeamBot]  [SecuriteInfo.com.W32.AIDetect.malware2.23336....   \n",
       "9        [exe, Glupteba]  [SecuriteInfo.com.Trojan.GenericKD.46673241.17...   \n",
       "\n",
       "  intelligence.downloads intelligence.uploads intelligence.mail  \n",
       "0                     88                    1              None  \n",
       "1                    552                    1              None  \n",
       "2                    160                    1              None  \n",
       "3                    163                    1              None  \n",
       "4                    171                    1              None  \n",
       "5                    141                    2              None  \n",
       "6                    127                    1              None  \n",
       "7                    128                    1              None  \n",
       "8                    145                    2              None  \n",
       "9                    292                    2              None  \n",
       "\n",
       "[10 rows x 24 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"48b9b2b0e8c18c90\", mb_type='dhash', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified Yara rule"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 10,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>2bca2ddb0d37c48969f9ca795248774bc84b2408240e8a...</td>\n",
       "      <td>f924724c6186e5f07bc77327ef1a7321b980b32a723c97...</td>\n",
       "      <td>c6915d02b759be4a2feb2cfe79bd861dd98d2486</td>\n",
       "      <td>b239afc5e3fec697142676c5de84a52a</td>\n",
       "      <td>2022-08-10 19:53:02</td>\n",
       "      <td>None</td>\n",
       "      <td>csQDaSnx.exe</td>\n",
       "      <td>126976</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUk...</td>\n",
       "      <td>d4a22b2e0792f0f0</td>\n",
       "      <td>[exe, remcos, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...</td>\n",
       "      <td>189</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>81cccbe0fe96183f9a3612910a02f5e85479d687b55ac7...</td>\n",
       "      <td>5f98b68c5216d0a71e55d472e2b795ffbb04fd8c92c02c...</td>\n",
       "      <td>db3095e714bc1de4ee07a8ed41f3a8c5211ce7e3</td>\n",
       "      <td>64c7bfc9069bbad2837a9fadcc2b5543</td>\n",
       "      <td>2022-08-10 19:52:37</td>\n",
       "      <td>None</td>\n",
       "      <td>F5AjC83U.exe</td>\n",
       "      <td>126976</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUX...</td>\n",
       "      <td>d4a22b2e0792f0f0</td>\n",
       "      <td>[exe, remcos, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...</td>\n",
       "      <td>184</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>a0911f69ebcbc93540e63bf007fcab0bbece1a9f55c780...</td>\n",
       "      <td>677dc1d42d01e91314fe205639a73edf083e38553bb540...</td>\n",
       "      <td>f35faaa0884f2124d15172e22e889f306a6ab4dc</td>\n",
       "      <td>909b5860cad8562a6908b2e043e89da8</td>\n",
       "      <td>2022-08-10 19:51:51</td>\n",
       "      <td>None</td>\n",
       "      <td>rrXcTwCT.exe</td>\n",
       "      <td>126976</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:mpgk9sZwnSD9Pb0CR36oWdHZ8xyicFtsnal5OzqhP...</td>\n",
       "      <td>d4a22b2e0792f0f0</td>\n",
       "      <td>[exe, remcos, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem...</td>\n",
       "      <td>177</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e141...</td>\n",
       "      <td>15d04e1a1b58d63896d5e7a8424a058a9a3d28c74a4174...</td>\n",
       "      <td>efaefb940f47210dd0a3e9483aede0d9d5ce8a52</td>\n",
       "      <td>648e9dc18a8bd5dda03ca12f4f2768e7</td>\n",
       "      <td>2022-08-10 19:51:08</td>\n",
       "      <td>None</td>\n",
       "      <td>RtJT2FrE.exe</td>\n",
       "      <td>131072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:mhh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUn...</td>\n",
       "      <td>d4a22b2e0792f0f0</td>\n",
       "      <td>[exe, NetWire, remcos]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...</td>\n",
       "      <td>177</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>766ab97dc545207fe08d285356fa47298904585e8f2690...</td>\n",
       "      <td>90ffec08c7fa6921c635e5489a83528246956c2afcded5...</td>\n",
       "      <td>0073c8b602efaca3c2f676079abc771ad8abaed6</td>\n",
       "      <td>ba540e864f3f4afdd2512c6bb91c0b8d</td>\n",
       "      <td>2022-08-10 19:48:12</td>\n",
       "      <td>2022-08-10 19:53:51</td>\n",
       "      <td>g6yLQx19.exe</td>\n",
       "      <td>131072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:nbD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO...</td>\n",
       "      <td>d4a22b2e0792f0f0</td>\n",
       "      <td>[exe, Remcos RAT 3.x, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco...</td>\n",
       "      <td>180</td>\n",
       "      <td>4</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>98bd9ce6256c71da1189ff7552bc318b6e9e2e89561224...</td>\n",
       "      <td>a08db4ff8a043048e33d36a32b5e958ab4b2e27210205e...</td>\n",
       "      <td>067bd2264d1fe4a61fa7abd46ba4eb104987e2bb</td>\n",
       "      <td>bfa2f087b22e9e188bdb4654ddf17f0a</td>\n",
       "      <td>2022-08-10 19:47:49</td>\n",
       "      <td>None</td>\n",
       "      <td>E1Rj5TTL.exe</td>\n",
       "      <td>126976</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:BSUtqGqBzWgp7q8zZYqCxarWjPHDoGnMAFI+zIcoS...</td>\n",
       "      <td>d4a22b2e0792f0f0</td>\n",
       "      <td>[exe, Remcos RAT 3.x, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem...</td>\n",
       "      <td>174</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>56b9e1a9f0704305007504a26661905930387fc49d0fb0...</td>\n",
       "      <td>38e6187ed866f6abe9e3fa98995691d765498718817412...</td>\n",
       "      <td>d972b5f0d29ebd6db596c607434bf930ab822d48</td>\n",
       "      <td>da88c3cc6dbd042b0971b5951d6fb5f4</td>\n",
       "      <td>2022-08-10 19:47:26</td>\n",
       "      <td>2022-08-10 19:49:18</td>\n",
       "      <td>f6x8LJCP.exe</td>\n",
       "      <td>131072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:3bD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO...</td>\n",
       "      <td>d4a22b2e0792f0f0</td>\n",
       "      <td>[exe, Remcos RAT 3.x, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco...</td>\n",
       "      <td>179</td>\n",
       "      <td>4</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>629dd4f1db7eec3c7a084575676b48ac035fcc0a3ae9df...</td>\n",
       "      <td>8520e6655999cfd773163f19a1a6b4d0eb46097064843c...</td>\n",
       "      <td>326d6ffa21b340ee5dd54f11baa4c1fe24c1e6d7</td>\n",
       "      <td>e0a8f2f5a09a63b2b5f9411028c86d4c</td>\n",
       "      <td>2022-08-09 06:05:17</td>\n",
       "      <td>None</td>\n",
       "      <td>Urgent RFQ_AP65425652_032421,pdf.exe</td>\n",
       "      <td>760832</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:8y5/OnuA02iN2NAoeZBaiGLKb8A1HuNwlSD9Y62s...</td>\n",
       "      <td>00071a1b52522920</td>\n",
       "      <td>[exe, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]</td>\n",
       "      <td>263</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>bc6f494da47a6a0d914d0accb1e3297610a32feae69271...</td>\n",
       "      <td>4490f159f125e64ccf23eb09fa51109a335ec5917e0e4f...</td>\n",
       "      <td>895d1f61c833447a0db9769679e05594b766fa1a</td>\n",
       "      <td>f61c74deae0ce023bf2231e030edb7ab</td>\n",
       "      <td>2022-08-03 17:44:57</td>\n",
       "      <td>None</td>\n",
       "      <td>f61c74deae0ce023bf2231e030edb7ab</td>\n",
       "      <td>466944</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d...</td>\n",
       "      <td>c4d48eaa8ad4d4f8</td>\n",
       "      <td>[32, exe, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Remcos-9841897-0]</td>\n",
       "      <td>330</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>548a6de77d41a75d8463e4aa3d596caf294b6d5bfbc486...</td>\n",
       "      <td>0fd1b5613e91115f9ce75685bc5c74402f0a63f6020ca6...</td>\n",
       "      <td>dc09e242d4a334a70717421a767e2fd76e9f5dec</td>\n",
       "      <td>a35383f9431d405cd1164a1ba5c93a2a</td>\n",
       "      <td>2022-08-03 12:38:58</td>\n",
       "      <td>None</td>\n",
       "      <td>a35383f9431d405cd1164a1ba5c93a2a</td>\n",
       "      <td>466944</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d...</td>\n",
       "      <td>c4d48eaa8ad4d4f8</td>\n",
       "      <td>[32, exe, RemcosRAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>[Win.Trojan.Remcos-9841897-0]</td>\n",
       "      <td>278</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 25 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  2bca2ddb0d37c48969f9ca795248774bc84b2408240e8a...   \n",
       "1  81cccbe0fe96183f9a3612910a02f5e85479d687b55ac7...   \n",
       "2  a0911f69ebcbc93540e63bf007fcab0bbece1a9f55c780...   \n",
       "3  e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e141...   \n",
       "4  766ab97dc545207fe08d285356fa47298904585e8f2690...   \n",
       "5  98bd9ce6256c71da1189ff7552bc318b6e9e2e89561224...   \n",
       "6  56b9e1a9f0704305007504a26661905930387fc49d0fb0...   \n",
       "7  629dd4f1db7eec3c7a084575676b48ac035fcc0a3ae9df...   \n",
       "8  bc6f494da47a6a0d914d0accb1e3297610a32feae69271...   \n",
       "9  548a6de77d41a75d8463e4aa3d596caf294b6d5bfbc486...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  f924724c6186e5f07bc77327ef1a7321b980b32a723c97...   \n",
       "1  5f98b68c5216d0a71e55d472e2b795ffbb04fd8c92c02c...   \n",
       "2  677dc1d42d01e91314fe205639a73edf083e38553bb540...   \n",
       "3  15d04e1a1b58d63896d5e7a8424a058a9a3d28c74a4174...   \n",
       "4  90ffec08c7fa6921c635e5489a83528246956c2afcded5...   \n",
       "5  a08db4ff8a043048e33d36a32b5e958ab4b2e27210205e...   \n",
       "6  38e6187ed866f6abe9e3fa98995691d765498718817412...   \n",
       "7  8520e6655999cfd773163f19a1a6b4d0eb46097064843c...   \n",
       "8  4490f159f125e64ccf23eb09fa51109a335ec5917e0e4f...   \n",
       "9  0fd1b5613e91115f9ce75685bc5c74402f0a63f6020ca6...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  c6915d02b759be4a2feb2cfe79bd861dd98d2486  b239afc5e3fec697142676c5de84a52a   \n",
       "1  db3095e714bc1de4ee07a8ed41f3a8c5211ce7e3  64c7bfc9069bbad2837a9fadcc2b5543   \n",
       "2  f35faaa0884f2124d15172e22e889f306a6ab4dc  909b5860cad8562a6908b2e043e89da8   \n",
       "3  efaefb940f47210dd0a3e9483aede0d9d5ce8a52  648e9dc18a8bd5dda03ca12f4f2768e7   \n",
       "4  0073c8b602efaca3c2f676079abc771ad8abaed6  ba540e864f3f4afdd2512c6bb91c0b8d   \n",
       "5  067bd2264d1fe4a61fa7abd46ba4eb104987e2bb  bfa2f087b22e9e188bdb4654ddf17f0a   \n",
       "6  d972b5f0d29ebd6db596c607434bf930ab822d48  da88c3cc6dbd042b0971b5951d6fb5f4   \n",
       "7  326d6ffa21b340ee5dd54f11baa4c1fe24c1e6d7  e0a8f2f5a09a63b2b5f9411028c86d4c   \n",
       "8  895d1f61c833447a0db9769679e05594b766fa1a  f61c74deae0ce023bf2231e030edb7ab   \n",
       "9  dc09e242d4a334a70717421a767e2fd76e9f5dec  a35383f9431d405cd1164a1ba5c93a2a   \n",
       "\n",
       "            first_seen            last_seen  \\\n",
       "0  2022-08-10 19:53:02                 None   \n",
       "1  2022-08-10 19:52:37                 None   \n",
       "2  2022-08-10 19:51:51                 None   \n",
       "3  2022-08-10 19:51:08                 None   \n",
       "4  2022-08-10 19:48:12  2022-08-10 19:53:51   \n",
       "5  2022-08-10 19:47:49                 None   \n",
       "6  2022-08-10 19:47:26  2022-08-10 19:49:18   \n",
       "7  2022-08-09 06:05:17                 None   \n",
       "8  2022-08-03 17:44:57                 None   \n",
       "9  2022-08-03 12:38:58                 None   \n",
       "\n",
       "                              file_name  file_size         file_type_mime  \\\n",
       "0                          csQDaSnx.exe     126976  application/x-dosexec   \n",
       "1                          F5AjC83U.exe     126976  application/x-dosexec   \n",
       "2                          rrXcTwCT.exe     126976  application/x-dosexec   \n",
       "3                          RtJT2FrE.exe     131072  application/x-dosexec   \n",
       "4                          g6yLQx19.exe     131072  application/x-dosexec   \n",
       "5                          E1Rj5TTL.exe     126976  application/x-dosexec   \n",
       "6                          f6x8LJCP.exe     131072  application/x-dosexec   \n",
       "7  Urgent RFQ_AP65425652_032421,pdf.exe     760832  application/x-dosexec   \n",
       "8      f61c74deae0ce023bf2231e030edb7ab     466944  application/x-dosexec   \n",
       "9      a35383f9431d405cd1164a1ba5c93a2a     466944  application/x-dosexec   \n",
       "\n",
       "  file_type  ... telfhash  gimphash  \\\n",
       "0       exe  ...     None      None   \n",
       "1       exe  ...     None      None   \n",
       "2       exe  ...     None      None   \n",
       "3       exe  ...     None      None   \n",
       "4       exe  ...     None      None   \n",
       "5       exe  ...     None      None   \n",
       "6       exe  ...     None      None   \n",
       "7       exe  ...     None      None   \n",
       "8       exe  ...     None      None   \n",
       "9       exe  ...     None      None   \n",
       "\n",
       "                                              ssdeep        dhash_icon  \\\n",
       "0  3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUk...  d4a22b2e0792f0f0   \n",
       "1  3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUX...  d4a22b2e0792f0f0   \n",
       "2  3072:mpgk9sZwnSD9Pb0CR36oWdHZ8xyicFtsnal5OzqhP...  d4a22b2e0792f0f0   \n",
       "3  3072:mhh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUn...  d4a22b2e0792f0f0   \n",
       "4  3072:nbD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO...  d4a22b2e0792f0f0   \n",
       "5  3072:BSUtqGqBzWgp7q8zZYqCxarWjPHDoGnMAFI+zIcoS...  d4a22b2e0792f0f0   \n",
       "6  3072:3bD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO...  d4a22b2e0792f0f0   \n",
       "7  12288:8y5/OnuA02iN2NAoeZBaiGLKb8A1HuNwlSD9Y62s...  00071a1b52522920   \n",
       "8  6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d...  c4d48eaa8ad4d4f8   \n",
       "9  6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d...  c4d48eaa8ad4d4f8   \n",
       "\n",
       "                               tags code_sign  \\\n",
       "0          [exe, remcos, RemcosRAT]        []   \n",
       "1          [exe, remcos, RemcosRAT]        []   \n",
       "2          [exe, remcos, RemcosRAT]        []   \n",
       "3            [exe, NetWire, remcos]        []   \n",
       "4  [exe, Remcos RAT 3.x, RemcosRAT]        []   \n",
       "5  [exe, Remcos RAT 3.x, RemcosRAT]        []   \n",
       "6  [exe, Remcos RAT 3.x, RemcosRAT]        []   \n",
       "7                  [exe, RemcosRAT]        []   \n",
       "8              [32, exe, RemcosRAT]        []   \n",
       "9              [32, exe, RemcosRAT]        []   \n",
       "\n",
       "                                 intelligence.clamav intelligence.downloads  \\\n",
       "0  [SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...                    189   \n",
       "1  [SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...                    184   \n",
       "2  [Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem...                    177   \n",
       "3  [SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...                    177   \n",
       "4  [Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco...                    180   \n",
       "5  [Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem...                    174   \n",
       "6  [Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco...                    179   \n",
       "7     [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]                    263   \n",
       "8                      [Win.Trojan.Remcos-9841897-0]                    330   \n",
       "9                      [Win.Trojan.Remcos-9841897-0]                    278   \n",
       "\n",
       "  intelligence.uploads intelligence.mail  \n",
       "0                    1              None  \n",
       "1                    1              None  \n",
       "2                    1              None  \n",
       "3                    1              None  \n",
       "4                    4              None  \n",
       "5                    1              None  \n",
       "6                    4              None  \n",
       "7                    1              None  \n",
       "8                    1              None  \n",
       "9                    1              None  \n",
       "\n",
       "[10 rows x 25 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"win_remcos_g0\", mb_type='yara', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified TLSH"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 11,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>52fce8f05b7bcad7c37912d8408be264e25301464474c4...</td>\n",
       "      <td>f7af2c9164495b59c212fe63a822ba96e87fae7c91ad87...</td>\n",
       "      <td>f4683e2471507c46d615e2139b25507e3406de7f</td>\n",
       "      <td>ba061b60e72e81ef174c6f38ecbe40a5</td>\n",
       "      <td>2020-06-17 00:09:41</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__913ab4nu59ok.exe.malw</td>\n",
       "      <td>496037</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>68</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>e549369801506cbbef9a872289ac450273a6f1673e2c9b...</td>\n",
       "      <td>2483b4b9e4c0a25d57a6bd628b9c59e6040d37c7760873...</td>\n",
       "      <td>f96464d8c8b3a4591a4bc34452a59df7052aabd9</td>\n",
       "      <td>991b6d39966597c12b0ea799a056d49e</td>\n",
       "      <td>2020-06-17 00:09:34</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__910ab4nu59ok.exe.malw</td>\n",
       "      <td>496127</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>67</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>69b47b24ade5077dd694765b73e1fb2c16c69d03e39f42...</td>\n",
       "      <td>93739fdca08dff670f91b4af8b8633809a76173ce97d6f...</td>\n",
       "      <td>b21075a21bd7473620a5d67746185ed0efe17c1b</td>\n",
       "      <td>8f914d42f69b6408cfcb12922ee39699</td>\n",
       "      <td>2020-06-16 23:35:00</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__2988ab4nu59ok.exe.malw</td>\n",
       "      <td>495990</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>59</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>cfb9760bf161f34f1f6922babe8c09dd9477b34b832de1...</td>\n",
       "      <td>1d888d5c5c303b6e5871bc70c8672cced0891700e348f4...</td>\n",
       "      <td>64b56fa3c3fc6542632d0d5d1d819e4c35cd34ad</td>\n",
       "      <td>1b9453d1193a14db559150f40d953987</td>\n",
       "      <td>2020-06-16 23:18:36</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__2711ab4nu59ok.exe.malw</td>\n",
       "      <td>496085</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>61</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>c7d996fed3fac2ff6add0ba741a61176f20dadcf25cfce...</td>\n",
       "      <td>31c27c607d7691a98a816028cc9804f2427cdf3853cab2...</td>\n",
       "      <td>9587b2eff81736f4bb98a33782665907bcc98ca5</td>\n",
       "      <td>efdd28e398a9cadc5a97877a90122913</td>\n",
       "      <td>2020-06-16 22:42:20</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__198ab4nu59ok.exe.malw</td>\n",
       "      <td>496164</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>60</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>f2757682119b5daf632e40b37586d55850ef46cd510f18...</td>\n",
       "      <td>31aff8cd78201e74db323bb3315e6adb954e5358926179...</td>\n",
       "      <td>3f8db2d73670b655fbe3375dbb07a5ef676fb082</td>\n",
       "      <td>354f67d77cbf9d5ccd211673205c3dc3</td>\n",
       "      <td>2020-06-16 22:38:15</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__1941ab4nu59ok.exe.malw</td>\n",
       "      <td>496078</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>54</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>eba4014f86d3d6ff53b40db04fe41a62ab3bbea61761d9...</td>\n",
       "      <td>2c7f98f4de25b2c679b08df288eeff364c53f24fda68b1...</td>\n",
       "      <td>c92d4b2698e653d37de5f7bf4bd3387e00624523</td>\n",
       "      <td>89e958619bc685ce85b52950f52c022e</td>\n",
       "      <td>2020-06-16 22:37:40</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__1928ab4nu59ok.exe.malw</td>\n",
       "      <td>496390</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>53</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>2d9e273e556e79c1a712a7b8044be998d681cc7953b1f8...</td>\n",
       "      <td>127294be489448bd6d1f55f399271510e85381a66b2a80...</td>\n",
       "      <td>2e387fc861253bd637ba24425030c3be65085bfb</td>\n",
       "      <td>438f2357cf0916af3b6e495c140456b8</td>\n",
       "      <td>2020-06-16 22:18:19</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__1623ab4nu59ok.exe.malw</td>\n",
       "      <td>496056</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>61</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>2c3723ae043796895afb2aa8e6d465e65e1fc0b22dac84...</td>\n",
       "      <td>601223ce7eeb84a0545ed9e455b6f0865ca64bbb05b2d9...</td>\n",
       "      <td>c7d18c164f41faf9337a4d2ee7e25fa32d6cc7cb</td>\n",
       "      <td>a1efd37441a618a2b4a4a38ebc768051</td>\n",
       "      <td>2020-06-16 22:15:46</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__158ab4nu59ok.exe.malw</td>\n",
       "      <td>496289</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>57</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>6560ba1a1c5046ef58b32c96871949ea41a50f94397721...</td>\n",
       "      <td>71a8f2cce38c299324bb98d685bfcd56efa1fec1be4892...</td>\n",
       "      <td>3dfc79aa0876d075e5917e4f3798e351b75b04d4</td>\n",
       "      <td>fa57f5d615aabe519d250deae48ecdf3</td>\n",
       "      <td>2020-06-16 22:08:50</td>\n",
       "      <td>None</td>\n",
       "      <td>pops.works_manahet__1498ab4nu59ok.exe.malw</td>\n",
       "      <td>496017</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[malw, TrickBot]</td>\n",
       "      <td>[SecuriteInfo.com.BScope.Backdoor.Emotet.14181...</td>\n",
       "      <td>58</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 24 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  52fce8f05b7bcad7c37912d8408be264e25301464474c4...   \n",
       "1  e549369801506cbbef9a872289ac450273a6f1673e2c9b...   \n",
       "2  69b47b24ade5077dd694765b73e1fb2c16c69d03e39f42...   \n",
       "3  cfb9760bf161f34f1f6922babe8c09dd9477b34b832de1...   \n",
       "4  c7d996fed3fac2ff6add0ba741a61176f20dadcf25cfce...   \n",
       "5  f2757682119b5daf632e40b37586d55850ef46cd510f18...   \n",
       "6  eba4014f86d3d6ff53b40db04fe41a62ab3bbea61761d9...   \n",
       "7  2d9e273e556e79c1a712a7b8044be998d681cc7953b1f8...   \n",
       "8  2c3723ae043796895afb2aa8e6d465e65e1fc0b22dac84...   \n",
       "9  6560ba1a1c5046ef58b32c96871949ea41a50f94397721...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  f7af2c9164495b59c212fe63a822ba96e87fae7c91ad87...   \n",
       "1  2483b4b9e4c0a25d57a6bd628b9c59e6040d37c7760873...   \n",
       "2  93739fdca08dff670f91b4af8b8633809a76173ce97d6f...   \n",
       "3  1d888d5c5c303b6e5871bc70c8672cced0891700e348f4...   \n",
       "4  31c27c607d7691a98a816028cc9804f2427cdf3853cab2...   \n",
       "5  31aff8cd78201e74db323bb3315e6adb954e5358926179...   \n",
       "6  2c7f98f4de25b2c679b08df288eeff364c53f24fda68b1...   \n",
       "7  127294be489448bd6d1f55f399271510e85381a66b2a80...   \n",
       "8  601223ce7eeb84a0545ed9e455b6f0865ca64bbb05b2d9...   \n",
       "9  71a8f2cce38c299324bb98d685bfcd56efa1fec1be4892...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  f4683e2471507c46d615e2139b25507e3406de7f  ba061b60e72e81ef174c6f38ecbe40a5   \n",
       "1  f96464d8c8b3a4591a4bc34452a59df7052aabd9  991b6d39966597c12b0ea799a056d49e   \n",
       "2  b21075a21bd7473620a5d67746185ed0efe17c1b  8f914d42f69b6408cfcb12922ee39699   \n",
       "3  64b56fa3c3fc6542632d0d5d1d819e4c35cd34ad  1b9453d1193a14db559150f40d953987   \n",
       "4  9587b2eff81736f4bb98a33782665907bcc98ca5  efdd28e398a9cadc5a97877a90122913   \n",
       "5  3f8db2d73670b655fbe3375dbb07a5ef676fb082  354f67d77cbf9d5ccd211673205c3dc3   \n",
       "6  c92d4b2698e653d37de5f7bf4bd3387e00624523  89e958619bc685ce85b52950f52c022e   \n",
       "7  2e387fc861253bd637ba24425030c3be65085bfb  438f2357cf0916af3b6e495c140456b8   \n",
       "8  c7d18c164f41faf9337a4d2ee7e25fa32d6cc7cb  a1efd37441a618a2b4a4a38ebc768051   \n",
       "9  3dfc79aa0876d075e5917e4f3798e351b75b04d4  fa57f5d615aabe519d250deae48ecdf3   \n",
       "\n",
       "            first_seen last_seen                                   file_name  \\\n",
       "0  2020-06-17 00:09:41      None   pops.works_manahet__913ab4nu59ok.exe.malw   \n",
       "1  2020-06-17 00:09:34      None   pops.works_manahet__910ab4nu59ok.exe.malw   \n",
       "2  2020-06-16 23:35:00      None  pops.works_manahet__2988ab4nu59ok.exe.malw   \n",
       "3  2020-06-16 23:18:36      None  pops.works_manahet__2711ab4nu59ok.exe.malw   \n",
       "4  2020-06-16 22:42:20      None   pops.works_manahet__198ab4nu59ok.exe.malw   \n",
       "5  2020-06-16 22:38:15      None  pops.works_manahet__1941ab4nu59ok.exe.malw   \n",
       "6  2020-06-16 22:37:40      None  pops.works_manahet__1928ab4nu59ok.exe.malw   \n",
       "7  2020-06-16 22:18:19      None  pops.works_manahet__1623ab4nu59ok.exe.malw   \n",
       "8  2020-06-16 22:15:46      None   pops.works_manahet__158ab4nu59ok.exe.malw   \n",
       "9  2020-06-16 22:08:50      None  pops.works_manahet__1498ab4nu59ok.exe.malw   \n",
       "\n",
       "   file_size         file_type_mime file_type  ...  \\\n",
       "0     496037  application/x-dosexec       exe  ...   \n",
       "1     496127  application/x-dosexec       exe  ...   \n",
       "2     495990  application/x-dosexec       exe  ...   \n",
       "3     496085  application/x-dosexec       exe  ...   \n",
       "4     496164  application/x-dosexec       exe  ...   \n",
       "5     496078  application/x-dosexec       exe  ...   \n",
       "6     496390  application/x-dosexec       exe  ...   \n",
       "7     496056  application/x-dosexec       exe  ...   \n",
       "8     496289  application/x-dosexec       exe  ...   \n",
       "9     496017  application/x-dosexec       exe  ...   \n",
       "\n",
       "                                                tlsh  telfhash gimphash  \\\n",
       "0  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "1  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "2  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "3  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "4  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "5  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "6  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "7  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "8  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "9  4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...      None     None   \n",
       "\n",
       "                                              ssdeep dhash_icon  \\\n",
       "0  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "1  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "2  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "3  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "4  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "5  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "6  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "7  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "8  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "9  6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...       None   \n",
       "\n",
       "               tags                                intelligence.clamav  \\\n",
       "0  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "1  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "2  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "3  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "4  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "5  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "6  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "7  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "8  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "9  [malw, TrickBot]  [SecuriteInfo.com.BScope.Backdoor.Emotet.14181...   \n",
       "\n",
       "  intelligence.downloads intelligence.uploads intelligence.mail  \n",
       "0                     68                    1              None  \n",
       "1                     67                    1              None  \n",
       "2                     59                    1              None  \n",
       "3                     61                    1              None  \n",
       "4                     60                    1              None  \n",
       "5                     54                    1              None  \n",
       "6                     53                    1              None  \n",
       "7                     61                    1              None  \n",
       "8                     57                    1              None  \n",
       "9                     58                    1              None  \n",
       "\n",
       "[10 rows x 24 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4FBC789AA020A31B05ED12350\", mb_type='tlsh', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified Telfhash"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 12,
   "metadata": {
    "tags": []
   },
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>2a57fa24db780dbd1f69f8e5a1b9b706b8c194c191caab...</td>\n",
       "      <td>a0a788306dea0da357ebf2a9eb8e33b5a49cff4e834d79...</td>\n",
       "      <td>51b84deed7b2241107fc2466ee35515c8bbf7c3f</td>\n",
       "      <td>9cd79b3a9da869b9b763620691ecc044</td>\n",
       "      <td>2021-06-22 15:22:38</td>\n",
       "      <td>None</td>\n",
       "      <td>9cd79b3a9da869b9b763620691ecc044</td>\n",
       "      <td>68176</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>88635AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, elf, intel, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>118</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>9367a86cc5573afc8c34963ac610baaa59fc279c2f38d1...</td>\n",
       "      <td>c3c8157eb7b395eb7bc3560af8efd89c1283b46358d682...</td>\n",
       "      <td>2cebe480f78bb005ec20a1b35f4d7701b6fb6021</td>\n",
       "      <td>cb8d0427ff2256bca6d0f668b66dc803</td>\n",
       "      <td>2021-02-23 19:16:02</td>\n",
       "      <td>None</td>\n",
       "      <td>cb8d0427ff2256bca6d0f668b66dc803</td>\n",
       "      <td>68176</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>E3634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>132</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>89b34c5b07f27d0d28a497525340fa17a623d53544dd59...</td>\n",
       "      <td>8e356f3cdfa5bb04e25cc11496768b649b62af0d57812a...</td>\n",
       "      <td>a9ad5e11e59037ebc178eac0f4708f590a6d7e0a</td>\n",
       "      <td>c8998a85f4c9f1d79ef360cf10ce01e3</td>\n",
       "      <td>2021-02-23 19:16:00</td>\n",
       "      <td>None</td>\n",
       "      <td>c8998a85f4c9f1d79ef360cf10ce01e3</td>\n",
       "      <td>68176</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>81634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUZ...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>135</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>0ca882a6b9eac11e951bdb8dbf44dccf66c63818c68846...</td>\n",
       "      <td>b04d983571c634862a94710c75fefe5b3cb61286e8f26b...</td>\n",
       "      <td>cfadb6f29ef5fe8c2a05304002d446843a074e25</td>\n",
       "      <td>3208d52296dc5bd0d016b0869c3cc4c7</td>\n",
       "      <td>2021-02-23 19:13:38</td>\n",
       "      <td>None</td>\n",
       "      <td>3208d52296dc5bd0d016b0869c3cc4c7</td>\n",
       "      <td>68144</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>5C634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>91</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>f72ef232f04ae1ea49281e8e1d8a3d0b39ffd6622f8e8a...</td>\n",
       "      <td>2565e69468bc93b44a7d2e7b871c21dca89b00584a4863...</td>\n",
       "      <td>ff94b4e679a2af8da8a158ad47d73c45bb900213</td>\n",
       "      <td>59eb4dba2597fcf07f1953c8d7df8226</td>\n",
       "      <td>2021-02-23 19:13:13</td>\n",
       "      <td>None</td>\n",
       "      <td>59eb4dba2597fcf07f1953c8d7df8226</td>\n",
       "      <td>68144</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>C3634AC8BA43D9F2EC1602B52077EF338E76F5B6215AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>58</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>3386838e10e6f0235e26615bc5ca8fa43139eb0cf58453...</td>\n",
       "      <td>ae605253a5c8860b33e6528e2a518a517429628996e392...</td>\n",
       "      <td>ef59eb366924c376a377e6ef072f276aea26e0fb</td>\n",
       "      <td>6407985c60bd18bee0339e8e949dfe43</td>\n",
       "      <td>2021-02-23 19:13:06</td>\n",
       "      <td>None</td>\n",
       "      <td>6407985c60bd18bee0339e8e949dfe43</td>\n",
       "      <td>68176</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>65634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMl2fas6vYUR...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>58</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>398c0b834906624f41aad7609c6a1d65a684f173a62fb6...</td>\n",
       "      <td>ba9d52b4a7b604eb063a92ba0bfa4b6dcab88e137601a4...</td>\n",
       "      <td>5fec0097093243d3d69f1c473eb4a2a992b58dcf</td>\n",
       "      <td>b1abf91fe2460339de5ab1d2da23b2a5</td>\n",
       "      <td>2021-02-23 19:12:31</td>\n",
       "      <td>None</td>\n",
       "      <td>b1abf91fe2460339de5ab1d2da23b2a5</td>\n",
       "      <td>68176</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>0D634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMol2eas6vYU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>56</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>e3065b89a497edde2a814cf88204aa09a6ab6f181d8893...</td>\n",
       "      <td>7cc24dc2189d4502dc5f773826fecc43d05074bd6fb867...</td>\n",
       "      <td>7627d5f44dfbdcb332fc824693aee63004bef180</td>\n",
       "      <td>7b1ac2b9ff3e06aecca478466be683d8</td>\n",
       "      <td>2021-02-23 19:10:19</td>\n",
       "      <td>None</td>\n",
       "      <td>7b1ac2b9ff3e06aecca478466be683d8</td>\n",
       "      <td>68176</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>B7634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>51</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>15ff59c63e25fee8ab22639ee034600557090bb2789d0e...</td>\n",
       "      <td>a640ad190054466151b16ea18dc6ae262ec3b240beda28...</td>\n",
       "      <td>405096c641c1af1417fe239be43611a184fc48bd</td>\n",
       "      <td>de61ac7b487c95db132070e6add18c7c</td>\n",
       "      <td>2021-02-23 19:10:16</td>\n",
       "      <td>None</td>\n",
       "      <td>de61ac7b487c95db132070e6add18c7c</td>\n",
       "      <td>68176</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>99634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUR...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>54</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>84b5aa70e56ee461234480fd887a2b08c5e717b62b3020...</td>\n",
       "      <td>643287d5665d73b3bfdd40bca2895d57d98f121747431a...</td>\n",
       "      <td>17bdf61c4fa9fa9d6717f595b44207861287c26d</td>\n",
       "      <td>e495a650899a09ff1b1bbb22e5c1b42c</td>\n",
       "      <td>2021-02-23 19:10:04</td>\n",
       "      <td>None</td>\n",
       "      <td>e495a650899a09ff1b1bbb22e5c1b42c</td>\n",
       "      <td>68144</td>\n",
       "      <td>application/x-executable</td>\n",
       "      <td>elf</td>\n",
       "      <td>...</td>\n",
       "      <td>85634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9...</td>\n",
       "      <td>ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...</td>\n",
       "      <td>None</td>\n",
       "      <td>[botnet, mirai]</td>\n",
       "      <td>[SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...</td>\n",
       "      <td>51</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>10 rows × 24 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  2a57fa24db780dbd1f69f8e5a1b9b706b8c194c191caab...   \n",
       "1  9367a86cc5573afc8c34963ac610baaa59fc279c2f38d1...   \n",
       "2  89b34c5b07f27d0d28a497525340fa17a623d53544dd59...   \n",
       "3  0ca882a6b9eac11e951bdb8dbf44dccf66c63818c68846...   \n",
       "4  f72ef232f04ae1ea49281e8e1d8a3d0b39ffd6622f8e8a...   \n",
       "5  3386838e10e6f0235e26615bc5ca8fa43139eb0cf58453...   \n",
       "6  398c0b834906624f41aad7609c6a1d65a684f173a62fb6...   \n",
       "7  e3065b89a497edde2a814cf88204aa09a6ab6f181d8893...   \n",
       "8  15ff59c63e25fee8ab22639ee034600557090bb2789d0e...   \n",
       "9  84b5aa70e56ee461234480fd887a2b08c5e717b62b3020...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  a0a788306dea0da357ebf2a9eb8e33b5a49cff4e834d79...   \n",
       "1  c3c8157eb7b395eb7bc3560af8efd89c1283b46358d682...   \n",
       "2  8e356f3cdfa5bb04e25cc11496768b649b62af0d57812a...   \n",
       "3  b04d983571c634862a94710c75fefe5b3cb61286e8f26b...   \n",
       "4  2565e69468bc93b44a7d2e7b871c21dca89b00584a4863...   \n",
       "5  ae605253a5c8860b33e6528e2a518a517429628996e392...   \n",
       "6  ba9d52b4a7b604eb063a92ba0bfa4b6dcab88e137601a4...   \n",
       "7  7cc24dc2189d4502dc5f773826fecc43d05074bd6fb867...   \n",
       "8  a640ad190054466151b16ea18dc6ae262ec3b240beda28...   \n",
       "9  643287d5665d73b3bfdd40bca2895d57d98f121747431a...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  51b84deed7b2241107fc2466ee35515c8bbf7c3f  9cd79b3a9da869b9b763620691ecc044   \n",
       "1  2cebe480f78bb005ec20a1b35f4d7701b6fb6021  cb8d0427ff2256bca6d0f668b66dc803   \n",
       "2  a9ad5e11e59037ebc178eac0f4708f590a6d7e0a  c8998a85f4c9f1d79ef360cf10ce01e3   \n",
       "3  cfadb6f29ef5fe8c2a05304002d446843a074e25  3208d52296dc5bd0d016b0869c3cc4c7   \n",
       "4  ff94b4e679a2af8da8a158ad47d73c45bb900213  59eb4dba2597fcf07f1953c8d7df8226   \n",
       "5  ef59eb366924c376a377e6ef072f276aea26e0fb  6407985c60bd18bee0339e8e949dfe43   \n",
       "6  5fec0097093243d3d69f1c473eb4a2a992b58dcf  b1abf91fe2460339de5ab1d2da23b2a5   \n",
       "7  7627d5f44dfbdcb332fc824693aee63004bef180  7b1ac2b9ff3e06aecca478466be683d8   \n",
       "8  405096c641c1af1417fe239be43611a184fc48bd  de61ac7b487c95db132070e6add18c7c   \n",
       "9  17bdf61c4fa9fa9d6717f595b44207861287c26d  e495a650899a09ff1b1bbb22e5c1b42c   \n",
       "\n",
       "            first_seen last_seen                         file_name  file_size  \\\n",
       "0  2021-06-22 15:22:38      None  9cd79b3a9da869b9b763620691ecc044      68176   \n",
       "1  2021-02-23 19:16:02      None  cb8d0427ff2256bca6d0f668b66dc803      68176   \n",
       "2  2021-02-23 19:16:00      None  c8998a85f4c9f1d79ef360cf10ce01e3      68176   \n",
       "3  2021-02-23 19:13:38      None  3208d52296dc5bd0d016b0869c3cc4c7      68144   \n",
       "4  2021-02-23 19:13:13      None  59eb4dba2597fcf07f1953c8d7df8226      68144   \n",
       "5  2021-02-23 19:13:06      None  6407985c60bd18bee0339e8e949dfe43      68176   \n",
       "6  2021-02-23 19:12:31      None  b1abf91fe2460339de5ab1d2da23b2a5      68176   \n",
       "7  2021-02-23 19:10:19      None  7b1ac2b9ff3e06aecca478466be683d8      68176   \n",
       "8  2021-02-23 19:10:16      None  de61ac7b487c95db132070e6add18c7c      68176   \n",
       "9  2021-02-23 19:10:04      None  e495a650899a09ff1b1bbb22e5c1b42c      68144   \n",
       "\n",
       "             file_type_mime file_type  ...  \\\n",
       "0  application/x-executable       elf  ...   \n",
       "1  application/x-executable       elf  ...   \n",
       "2  application/x-executable       elf  ...   \n",
       "3  application/x-executable       elf  ...   \n",
       "4  application/x-executable       elf  ...   \n",
       "5  application/x-executable       elf  ...   \n",
       "6  application/x-executable       elf  ...   \n",
       "7  application/x-executable       elf  ...   \n",
       "8  application/x-executable       elf  ...   \n",
       "9  application/x-executable       elf  ...   \n",
       "\n",
       "                                                tlsh  \\\n",
       "0  88635AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...   \n",
       "1  E3634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...   \n",
       "2  81634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9...   \n",
       "3  5C634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9...   \n",
       "4  C3634AC8BA43D9F2EC1602B52077EF338E76F5B6215AF9...   \n",
       "5  65634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...   \n",
       "6  0D634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...   \n",
       "7  B7634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...   \n",
       "8  99634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9...   \n",
       "9  85634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9...   \n",
       "\n",
       "                                            telfhash gimphash  \\\n",
       "0  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "1  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "2  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "3  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "4  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "5  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "6  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "7  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "8  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "9  ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...     None   \n",
       "\n",
       "                                              ssdeep dhash_icon  \\\n",
       "0  1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...       None   \n",
       "1  1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...       None   \n",
       "2  1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUZ...       None   \n",
       "3  1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...       None   \n",
       "4  1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...       None   \n",
       "5  1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMl2fas6vYUR...       None   \n",
       "6  1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMol2eas6vYU...       None   \n",
       "7  1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...       None   \n",
       "8  1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUR...       None   \n",
       "9  1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...       None   \n",
       "\n",
       "                      tags                                intelligence.clamav  \\\n",
       "0  [32, elf, intel, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "1          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "2          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "3          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "4          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "5          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "6          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "7          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "8          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "9          [botnet, mirai]  [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...   \n",
       "\n",
       "  intelligence.downloads intelligence.uploads intelligence.mail  \n",
       "0                    118                    1              None  \n",
       "1                    132                    1              None  \n",
       "2                    135                    1              None  \n",
       "3                     91                    1              None  \n",
       "4                     58                    1              None  \n",
       "5                     58                    1              None  \n",
       "6                     56                    1              None  \n",
       "7                     51                    1              None  \n",
       "8                     54                    1              None  \n",
       "9                     51                    1              None  \n",
       "\n",
       "[10 rows x 24 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037a00463e93033abe466069c7a\", mb_type='telfhash', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified Gimphash"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 13,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c...</td>\n",
       "      <td>74e9232b812f998d63121c5836d26e85c09abea8e8e3c2...</td>\n",
       "      <td>265a613ac405e6c3557e36a19f0ead2d18638cb0</td>\n",
       "      <td>06124da5b4d6ef31dbfd7a6094fc52a6</td>\n",
       "      <td>2022-04-05 06:30:21</td>\n",
       "      <td>2022-04-05 08:07:53</td>\n",
       "      <td>base-update.exe</td>\n",
       "      <td>4499408</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>T1C1264B23F89154E9C0AED230C666D262BB7178945730...</td>\n",
       "      <td>None</td>\n",
       "      <td>50f5783c2188897815d9b34a77aa4df70ac96a71542ddc...</td>\n",
       "      <td>49152:lPz3d4kmYh3Urb/TcvO90dL3BmAFd4A64nsfJTxe...</td>\n",
       "      <td>None</td>\n",
       "      <td>[Elephant, exe, Hive, Ransomware]</td>\n",
       "      <td>[SecuriteInfo.com.Trojan.PWS.Siggen3.13990.534...</td>\n",
       "      <td>213</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>1 rows × 24 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash  \\\n",
       "0  9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c...   \n",
       "\n",
       "                                       sha3_384_hash  \\\n",
       "0  74e9232b812f998d63121c5836d26e85c09abea8e8e3c2...   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  265a613ac405e6c3557e36a19f0ead2d18638cb0  06124da5b4d6ef31dbfd7a6094fc52a6   \n",
       "\n",
       "            first_seen            last_seen        file_name  file_size  \\\n",
       "0  2022-04-05 06:30:21  2022-04-05 08:07:53  base-update.exe    4499408   \n",
       "\n",
       "          file_type_mime file_type  ...  \\\n",
       "0  application/x-dosexec       exe  ...   \n",
       "\n",
       "                                                tlsh  telfhash  \\\n",
       "0  T1C1264B23F89154E9C0AED230C666D262BB7178945730...      None   \n",
       "\n",
       "                                            gimphash  \\\n",
       "0  50f5783c2188897815d9b34a77aa4df70ac96a71542ddc...   \n",
       "\n",
       "                                              ssdeep dhash_icon  \\\n",
       "0  49152:lPz3d4kmYh3Urb/TcvO90dL3BmAFd4A64nsfJTxe...       None   \n",
       "\n",
       "                                tags  \\\n",
       "0  [Elephant, exe, Hive, Ransomware]   \n",
       "\n",
       "                                 intelligence.clamav intelligence.downloads  \\\n",
       "0  [SecuriteInfo.com.Trojan.PWS.Siggen3.13990.534...                    213   \n",
       "\n",
       "  intelligence.uploads intelligence.mail  \n",
       "0                    2              None  \n",
       "\n",
       "[1 rows x 24 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"50f5783c2188897815d9b34a77aa4df70ac96a71542ddc79b94fef8ce7ba2120\", mb_type='gimphash', limit=10)\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified Certificate Issuer Info"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 14,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>anonymous</th>\n",
       "      <th>signature</th>\n",
       "      <th>imphash</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>bbb3c68240e69552a21b9fc649cf9a2686d26ad9297d87...</td>\n",
       "      <td>None</td>\n",
       "      <td>fece4c968c28f10849f7708346842a4c844aa5d3</td>\n",
       "      <td>4a4d26599ba12e48de5310d2b789ef90</td>\n",
       "      <td>2022-07-15 14:43:52</td>\n",
       "      <td>None</td>\n",
       "      <td>virussign.com_4a4d26599ba12e48de5310d2b789ef90</td>\n",
       "      <td>3393656</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>None</td>\n",
       "      <td>00be6e6c4f9e287672c8301b72bdabf3</td>\n",
       "      <td>T19EF512C1EDA042B9E6A10F3149A5F6351B6D3FF0FE24...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>98304:C5zgfx9C7H5O1Wy8GgZ5samBLz2aj352a0GV027Z...</td>\n",
       "      <td>78e4cad0e6a6b8d8</td>\n",
       "      <td>[exe, signed]</td>\n",
       "      <td>[{'subject_cn': 'Audials AG', 'issuer_cn': 'Se...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee...</td>\n",
       "      <td>None</td>\n",
       "      <td>b575cf708602d0285e97071dc7bee8daef415832</td>\n",
       "      <td>99fdd1d682a0c2999731ad61b2c0cc2e</td>\n",
       "      <td>2022-07-14 18:20:50</td>\n",
       "      <td>2022-07-14 22:04:43</td>\n",
       "      <td>99fdd1d682a0c2999731ad61b2c0cc2e.exe</td>\n",
       "      <td>17269872</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>RemoteManipulator</td>\n",
       "      <td>38be718d163809a15e0c7a672311fe41</td>\n",
       "      <td>T19407336BE7E68825D4FB47BA09BD8B20177ABCC91813...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>393216:YfdYUDnIXid6KrMleGADjXUlQuEPrDLQCLs6JAY...</td>\n",
       "      <td>c4dacabacac0c244</td>\n",
       "      <td>[exe, RemoteManipulator, signed]</td>\n",
       "      <td>[{'subject_cn': 'Remote Utilities LLC', 'issue...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>68fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192...</td>\n",
       "      <td>None</td>\n",
       "      <td>7feb1ad024ba549905c3e112982db2ff6d7a066b</td>\n",
       "      <td>84786123b44e1c871a458403c82519ae</td>\n",
       "      <td>2022-07-12 10:45:18</td>\n",
       "      <td>None</td>\n",
       "      <td>68fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192...</td>\n",
       "      <td>1795832</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>None</td>\n",
       "      <td>117f9d7a56c3cbec9a67cd881171e7ec</td>\n",
       "      <td>T184855D21A3D58437D0732E7A5C2A96946D2A7E202E78...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>49152:1gE01Su+FT8wSa3C3+6Oo9grFiw5fT+XOnUg:1gV...</td>\n",
       "      <td>cc94b2a6a2a2a0f0</td>\n",
       "      <td>[exe, signed]</td>\n",
       "      <td>[{'subject_cn': 'IObit CO., LTD', 'issuer_cn':...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>8d50514a50c7f6c76a47524a40aba6d7b25de685c5558b...</td>\n",
       "      <td>None</td>\n",
       "      <td>9e7af942ca6147a9517c16f018d61f6a025044c3</td>\n",
       "      <td>9ba470b8527aa227810d0c7316ab0a5a</td>\n",
       "      <td>2022-07-11 09:47:25</td>\n",
       "      <td>None</td>\n",
       "      <td>8d50514a50c7f6c76a47524a40aba6d7b25de685c5558b...</td>\n",
       "      <td>1222592</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>None</td>\n",
       "      <td>31b08bc72f8daf46c9fc08479f4bb223</td>\n",
       "      <td>T10F45CFB31914679AF370743E475C238164EB9C894BC9...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx...</td>\n",
       "      <td>None</td>\n",
       "      <td>[dll, OmniContact, signed]</td>\n",
       "      <td>[{'subject_cn': 'OmniContact', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>57d6f2bef4bb6701f19f1009528cc716c8e220f3c86601...</td>\n",
       "      <td>None</td>\n",
       "      <td>d775b52aa8e1ca033572757b64f212b1701ce4ef</td>\n",
       "      <td>d0fca62ff23bf70ee6a3fc41cff8b2c1</td>\n",
       "      <td>2022-07-11 09:47:20</td>\n",
       "      <td>None</td>\n",
       "      <td>57d6f2bef4bb6701f19f1009528cc716c8e220f3c86601...</td>\n",
       "      <td>1222592</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>None</td>\n",
       "      <td>31b08bc72f8daf46c9fc08479f4bb223</td>\n",
       "      <td>T11845CFB31914679AF370743E475C238164EB9C894BC9...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:Vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx...</td>\n",
       "      <td>None</td>\n",
       "      <td>[dll, OmniContact, signed]</td>\n",
       "      <td>[{'subject_cn': 'OmniContact', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>...</th>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>95</th>\n",
       "      <td>1bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd...</td>\n",
       "      <td>None</td>\n",
       "      <td>04750cdaa55f51c718b1dace954e52007dcfcb24</td>\n",
       "      <td>76e1ca1c6012b83e028f5c6b20247dd6</td>\n",
       "      <td>2021-12-15 10:59:36</td>\n",
       "      <td>2021-12-15 13:01:09</td>\n",
       "      <td>1bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd...</td>\n",
       "      <td>782256</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>Quakbot</td>\n",
       "      <td>c967abd8a4b2caed74d57814c5fadb12</td>\n",
       "      <td>T194F49F22B2F14477C1B32A3D9C7B52A594297E113E38...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:W03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf...</td>\n",
       "      <td>399998ecd4d46c0e</td>\n",
       "      <td>[dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig...</td>\n",
       "      <td>[{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>96</th>\n",
       "      <td>01c434536512a312098bcdf8a82dc3172153e15b7c033a...</td>\n",
       "      <td>None</td>\n",
       "      <td>5f91717901585e8de4993fd916703314bcac6715</td>\n",
       "      <td>ea93eb3704c67210a65f14cde3feb6d2</td>\n",
       "      <td>2021-12-15 10:59:29</td>\n",
       "      <td>2021-12-15 13:01:16</td>\n",
       "      <td>01c434536512a312098bcdf8a82dc3172153e15b7c033a...</td>\n",
       "      <td>524720</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>Quakbot</td>\n",
       "      <td>8e3a2e9f601b5312da264792515ac8a5</td>\n",
       "      <td>T199B4AF22F6D04437C2732A388C5F56A8A8357E502E29...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:iPjtak6OdAvsE1655WY9NceCizMz/NrKp+:Ujgeb...</td>\n",
       "      <td>399998ecd4d46c0e</td>\n",
       "      <td>[dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig...</td>\n",
       "      <td>[{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>97</th>\n",
       "      <td>950008035d225dd5f4c3a229082f1206eb9bce8c4aa482...</td>\n",
       "      <td>None</td>\n",
       "      <td>549735f585590452985451faf8ab1e6f22903abf</td>\n",
       "      <td>518d125bb64a8f8dc8b94054daf5e6df</td>\n",
       "      <td>2021-12-14 20:14:05</td>\n",
       "      <td>2021-12-15 00:51:19</td>\n",
       "      <td>518d125bb64a8f8dc8b94054daf5e6df</td>\n",
       "      <td>375656</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>CobaltStrike</td>\n",
       "      <td>1e8a809e0505b426516db96be454b4f8</td>\n",
       "      <td>T1FB84F361B2D6AF33F5135633C479AFB21E0BDDA802CE...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:eum89DM6Wn26B/vLcTnR2PYbtw3nnhsW/WQkwy+qq...</td>\n",
       "      <td>c0d4ec80b0b4b4e4</td>\n",
       "      <td>[32, CobaltStrike, exe, signed, trojan]</td>\n",
       "      <td>[{'subject_cn': 'REI LUX UK LIMITED', 'issuer_...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>98</th>\n",
       "      <td>8140ac01ec377af7788eddd79d665d5000b34e7d064499...</td>\n",
       "      <td>None</td>\n",
       "      <td>9db7b3f5c7cff58d8a06f2f4cc82d9f7339f49e1</td>\n",
       "      <td>67d5dfcde8225a0cdf760d833ca44387</td>\n",
       "      <td>2021-12-14 17:50:31</td>\n",
       "      <td>None</td>\n",
       "      <td>Yukoste3.ocx</td>\n",
       "      <td>535440</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>Matanbuchus</td>\n",
       "      <td>c87b0244d3ec3baa302e51fc063cf2a4</td>\n",
       "      <td>T1C4B47CB6B7DF8437D22315389C5B6F74A835FE502D28...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:OCoerqtL8cwg/dQA1pb6ENUvIq9YXItrhL+hMalf...</td>\n",
       "      <td>399998ecd4d46c0e</td>\n",
       "      <td>[dll, matanbuchus, ocx, Qakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>99</th>\n",
       "      <td>7c549b6db99a8422b4e3c5a4d291057832ac5a36b6368a...</td>\n",
       "      <td>None</td>\n",
       "      <td>575f6e0a006bc19d5dfb5e5001f0b2b1a69cc0e8</td>\n",
       "      <td>62f20e4565b40b78c9b0c1c7f77c1f64</td>\n",
       "      <td>2021-12-14 17:49:42</td>\n",
       "      <td>None</td>\n",
       "      <td>Yukoste1.ocx</td>\n",
       "      <td>782224</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>Quakbot</td>\n",
       "      <td>c967abd8a4b2caed74d57814c5fadb12</td>\n",
       "      <td>T1ECF49F22B1F18477C1B32A3D9C7B52A594297E113E38...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:B03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf...</td>\n",
       "      <td>399998ecd4d46c0e</td>\n",
       "      <td>[dll, ocx, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>100 rows × 21 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                          sha256_hash sha3_384_hash  \\\n",
       "0   bbb3c68240e69552a21b9fc649cf9a2686d26ad9297d87...          None   \n",
       "1   cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee...          None   \n",
       "2   68fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192...          None   \n",
       "3   8d50514a50c7f6c76a47524a40aba6d7b25de685c5558b...          None   \n",
       "4   57d6f2bef4bb6701f19f1009528cc716c8e220f3c86601...          None   \n",
       "..                                                ...           ...   \n",
       "95  1bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd...          None   \n",
       "96  01c434536512a312098bcdf8a82dc3172153e15b7c033a...          None   \n",
       "97  950008035d225dd5f4c3a229082f1206eb9bce8c4aa482...          None   \n",
       "98  8140ac01ec377af7788eddd79d665d5000b34e7d064499...          None   \n",
       "99  7c549b6db99a8422b4e3c5a4d291057832ac5a36b6368a...          None   \n",
       "\n",
       "                                   sha1_hash  \\\n",
       "0   fece4c968c28f10849f7708346842a4c844aa5d3   \n",
       "1   b575cf708602d0285e97071dc7bee8daef415832   \n",
       "2   7feb1ad024ba549905c3e112982db2ff6d7a066b   \n",
       "3   9e7af942ca6147a9517c16f018d61f6a025044c3   \n",
       "4   d775b52aa8e1ca033572757b64f212b1701ce4ef   \n",
       "..                                       ...   \n",
       "95  04750cdaa55f51c718b1dace954e52007dcfcb24   \n",
       "96  5f91717901585e8de4993fd916703314bcac6715   \n",
       "97  549735f585590452985451faf8ab1e6f22903abf   \n",
       "98  9db7b3f5c7cff58d8a06f2f4cc82d9f7339f49e1   \n",
       "99  575f6e0a006bc19d5dfb5e5001f0b2b1a69cc0e8   \n",
       "\n",
       "                            md5_hash           first_seen  \\\n",
       "0   4a4d26599ba12e48de5310d2b789ef90  2022-07-15 14:43:52   \n",
       "1   99fdd1d682a0c2999731ad61b2c0cc2e  2022-07-14 18:20:50   \n",
       "2   84786123b44e1c871a458403c82519ae  2022-07-12 10:45:18   \n",
       "3   9ba470b8527aa227810d0c7316ab0a5a  2022-07-11 09:47:25   \n",
       "4   d0fca62ff23bf70ee6a3fc41cff8b2c1  2022-07-11 09:47:20   \n",
       "..                               ...                  ...   \n",
       "95  76e1ca1c6012b83e028f5c6b20247dd6  2021-12-15 10:59:36   \n",
       "96  ea93eb3704c67210a65f14cde3feb6d2  2021-12-15 10:59:29   \n",
       "97  518d125bb64a8f8dc8b94054daf5e6df  2021-12-14 20:14:05   \n",
       "98  67d5dfcde8225a0cdf760d833ca44387  2021-12-14 17:50:31   \n",
       "99  62f20e4565b40b78c9b0c1c7f77c1f64  2021-12-14 17:49:42   \n",
       "\n",
       "              last_seen                                          file_name  \\\n",
       "0                  None     virussign.com_4a4d26599ba12e48de5310d2b789ef90   \n",
       "1   2022-07-14 22:04:43               99fdd1d682a0c2999731ad61b2c0cc2e.exe   \n",
       "2                  None  68fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192...   \n",
       "3                  None  8d50514a50c7f6c76a47524a40aba6d7b25de685c5558b...   \n",
       "4                  None  57d6f2bef4bb6701f19f1009528cc716c8e220f3c86601...   \n",
       "..                  ...                                                ...   \n",
       "95  2021-12-15 13:01:09  1bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd...   \n",
       "96  2021-12-15 13:01:16  01c434536512a312098bcdf8a82dc3172153e15b7c033a...   \n",
       "97  2021-12-15 00:51:19                   518d125bb64a8f8dc8b94054daf5e6df   \n",
       "98                 None                                       Yukoste3.ocx   \n",
       "99                 None                                       Yukoste1.ocx   \n",
       "\n",
       "    file_size         file_type_mime file_type  ... anonymous  \\\n",
       "0     3393656  application/x-dosexec       exe  ...         0   \n",
       "1    17269872  application/x-dosexec       exe  ...         0   \n",
       "2     1795832  application/x-dosexec       exe  ...         0   \n",
       "3     1222592  application/x-dosexec       dll  ...         0   \n",
       "4     1222592  application/x-dosexec       dll  ...         0   \n",
       "..        ...                    ...       ...  ...       ...   \n",
       "95     782256  application/x-dosexec       dll  ...         0   \n",
       "96     524720  application/x-dosexec       dll  ...         0   \n",
       "97     375656  application/x-dosexec       exe  ...         0   \n",
       "98     535440  application/x-dosexec       dll  ...         0   \n",
       "99     782224  application/x-dosexec       dll  ...         0   \n",
       "\n",
       "            signature                           imphash  \\\n",
       "0                None  00be6e6c4f9e287672c8301b72bdabf3   \n",
       "1   RemoteManipulator  38be718d163809a15e0c7a672311fe41   \n",
       "2                None  117f9d7a56c3cbec9a67cd881171e7ec   \n",
       "3                None  31b08bc72f8daf46c9fc08479f4bb223   \n",
       "4                None  31b08bc72f8daf46c9fc08479f4bb223   \n",
       "..                ...                               ...   \n",
       "95            Quakbot  c967abd8a4b2caed74d57814c5fadb12   \n",
       "96            Quakbot  8e3a2e9f601b5312da264792515ac8a5   \n",
       "97       CobaltStrike  1e8a809e0505b426516db96be454b4f8   \n",
       "98        Matanbuchus  c87b0244d3ec3baa302e51fc063cf2a4   \n",
       "99            Quakbot  c967abd8a4b2caed74d57814c5fadb12   \n",
       "\n",
       "                                                 tlsh telfhash gimphash  \\\n",
       "0   T19EF512C1EDA042B9E6A10F3149A5F6351B6D3FF0FE24...     None     None   \n",
       "1   T19407336BE7E68825D4FB47BA09BD8B20177ABCC91813...     None     None   \n",
       "2   T184855D21A3D58437D0732E7A5C2A96946D2A7E202E78...     None     None   \n",
       "3   T10F45CFB31914679AF370743E475C238164EB9C894BC9...     None     None   \n",
       "4   T11845CFB31914679AF370743E475C238164EB9C894BC9...     None     None   \n",
       "..                                                ...      ...      ...   \n",
       "95  T194F49F22B2F14477C1B32A3D9C7B52A594297E113E38...     None     None   \n",
       "96  T199B4AF22F6D04437C2732A388C5F56A8A8357E502E29...     None     None   \n",
       "97  T1FB84F361B2D6AF33F5135633C479AFB21E0BDDA802CE...     None     None   \n",
       "98  T1C4B47CB6B7DF8437D22315389C5B6F74A835FE502D28...     None     None   \n",
       "99  T1ECF49F22B1F18477C1B32A3D9C7B52A594297E113E38...     None     None   \n",
       "\n",
       "                                               ssdeep        dhash_icon  \\\n",
       "0   98304:C5zgfx9C7H5O1Wy8GgZ5samBLz2aj352a0GV027Z...  78e4cad0e6a6b8d8   \n",
       "1   393216:YfdYUDnIXid6KrMleGADjXUlQuEPrDLQCLs6JAY...  c4dacabacac0c244   \n",
       "2   49152:1gE01Su+FT8wSa3C3+6Oo9grFiw5fT+XOnUg:1gV...  cc94b2a6a2a2a0f0   \n",
       "3   12288:vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx...              None   \n",
       "4   12288:Vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx...              None   \n",
       "..                                                ...               ...   \n",
       "95  12288:W03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf...  399998ecd4d46c0e   \n",
       "96  12288:iPjtak6OdAvsE1655WY9NceCizMz/NrKp+:Ujgeb...  399998ecd4d46c0e   \n",
       "97  6144:eum89DM6Wn26B/vLcTnR2PYbtw3nnhsW/WQkwy+qq...  c0d4ec80b0b4b4e4   \n",
       "98  12288:OCoerqtL8cwg/dQA1pb6ENUvIq9YXItrhL+hMalf...  399998ecd4d46c0e   \n",
       "99  12288:B03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf...  399998ecd4d46c0e   \n",
       "\n",
       "                                                 tags  \\\n",
       "0                                       [exe, signed]   \n",
       "1                    [exe, RemoteManipulator, signed]   \n",
       "2                                       [exe, signed]   \n",
       "3                          [dll, OmniContact, signed]   \n",
       "4                          [dll, OmniContact, signed]   \n",
       "..                                                ...   \n",
       "95  [dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig...   \n",
       "96  [dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig...   \n",
       "97            [32, CobaltStrike, exe, signed, trojan]   \n",
       "98            [dll, matanbuchus, ocx, Qakbot, signed]   \n",
       "99                [dll, ocx, Qakbot, Quakbot, signed]   \n",
       "\n",
       "                                            code_sign  \n",
       "0   [{'subject_cn': 'Audials AG', 'issuer_cn': 'Se...  \n",
       "1   [{'subject_cn': 'Remote Utilities LLC', 'issue...  \n",
       "2   [{'subject_cn': 'IObit CO., LTD', 'issuer_cn':...  \n",
       "3   [{'subject_cn': 'OmniContact', 'issuer_cn': 'S...  \n",
       "4   [{'subject_cn': 'OmniContact', 'issuer_cn': 'S...  \n",
       "..                                                ...  \n",
       "95  [{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ...  \n",
       "96  [{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ...  \n",
       "97  [{'subject_cn': 'REI LUX UK LIMITED', 'issuer_...  \n",
       "98  [{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect...  \n",
       "99  [{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect...  \n",
       "\n",
       "[100 rows x 21 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"Sectigo RSA Code Signing CA\", mb_type='issuerinfo')\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified Certificate Subject Info"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 15,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>anonymous</th>\n",
       "      <th>signature</th>\n",
       "      <th>imphash</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>c79957ca77f6355fb02b9a0d9d2a4c86bca3d6fd53afbf...</td>\n",
       "      <td>None</td>\n",
       "      <td>989847d98a42b5e38dec8da84273908773666fee</td>\n",
       "      <td>61f8e8680493350a1b3df43bde88030f</td>\n",
       "      <td>2020-08-26 11:43:22</td>\n",
       "      <td>2020-08-26 12:51:22</td>\n",
       "      <td>srt_join2.bin</td>\n",
       "      <td>280448</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>TA505</td>\n",
       "      <td>099a636c552cf9ca90b2cb789202a343</td>\n",
       "      <td>2A54C09ADB23D2E4E869D5F07574B6733E363D08E26447...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:5Zw1GCu5naotdOJb72+1zhgR0hbxVzTvtV3aLztDA...</td>\n",
       "      <td>None</td>\n",
       "      <td>[64bit, dll, TA505]</td>\n",
       "      <td>[{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>257b0d37f34e05dc0ffb5e8c93f9a2eadf7d5ae3bcecb0...</td>\n",
       "      <td>None</td>\n",
       "      <td>0c95cc765cfa1b623e4a2e19479a8d9388dd57df</td>\n",
       "      <td>7212195ad8edbdc8d063fa7ae29e4e04</td>\n",
       "      <td>2020-08-26 11:43:05</td>\n",
       "      <td>2020-08-26 12:51:31</td>\n",
       "      <td>srt_join1.bin</td>\n",
       "      <td>348032</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>TA505</td>\n",
       "      <td>4b9b01fb6891e95cfb189a66c9ebc808</td>\n",
       "      <td>C574E102BBD2D5B9C8CB843458B55A7C07BBCD663F4028...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:bTbhpsgZ09JTYNirD6tlMFnYmkx2/511qZb2ithvs...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32bit, dll, TA505]</td>\n",
       "      <td>[{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>f7125019233ca9714d5b2b16ef66119c37bc9033597f0c...</td>\n",
       "      <td>None</td>\n",
       "      <td>9f34f0590d3c19153a800cdaea19b1ce4ba26cb6</td>\n",
       "      <td>36af9b047a76cd1e37a8188d8ad4119d</td>\n",
       "      <td>2020-08-25 12:41:01</td>\n",
       "      <td>2020-08-25 14:14:08</td>\n",
       "      <td>srt_join2.bin</td>\n",
       "      <td>274304</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>TA505</td>\n",
       "      <td>cdf5bfe175bda0bb60d50a48dd0ca746</td>\n",
       "      <td>D044CFA7DB57B1EEF952D630E5A47A337E353918A12C8E...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:zU0DDlOPbQ6+aKVelI7PuUMtgE6+KFlBNJXjq7fAb...</td>\n",
       "      <td>None</td>\n",
       "      <td>[64bit, dll, TA505]</td>\n",
       "      <td>[{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>7ad188a87fed28bbb4570f32ad729c492d434b8d3efdc1...</td>\n",
       "      <td>None</td>\n",
       "      <td>dfed494c9e2afc0aa48cbee2ad7f27ac9cef8a91</td>\n",
       "      <td>f7020878397a7dcf7f661a166ae9fab5</td>\n",
       "      <td>2020-08-25 12:40:48</td>\n",
       "      <td>2020-08-25 14:17:52</td>\n",
       "      <td>srt_join1.bin</td>\n",
       "      <td>324480</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>dll</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>TA505</td>\n",
       "      <td>57bbb25cc369c676e719c14c25249dd8</td>\n",
       "      <td>186402485AE24A3AF1E9023C51E60744A9652DB02F90A0...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:xXoWnIxqmbeF0x9QAd1HielOXYonTKF9YPbuHENCr...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32bit, dll, TA505]</td>\n",
       "      <td>[{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>4 rows × 21 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                         sha256_hash sha3_384_hash  \\\n",
       "0  c79957ca77f6355fb02b9a0d9d2a4c86bca3d6fd53afbf...          None   \n",
       "1  257b0d37f34e05dc0ffb5e8c93f9a2eadf7d5ae3bcecb0...          None   \n",
       "2  f7125019233ca9714d5b2b16ef66119c37bc9033597f0c...          None   \n",
       "3  7ad188a87fed28bbb4570f32ad729c492d434b8d3efdc1...          None   \n",
       "\n",
       "                                  sha1_hash                          md5_hash  \\\n",
       "0  989847d98a42b5e38dec8da84273908773666fee  61f8e8680493350a1b3df43bde88030f   \n",
       "1  0c95cc765cfa1b623e4a2e19479a8d9388dd57df  7212195ad8edbdc8d063fa7ae29e4e04   \n",
       "2  9f34f0590d3c19153a800cdaea19b1ce4ba26cb6  36af9b047a76cd1e37a8188d8ad4119d   \n",
       "3  dfed494c9e2afc0aa48cbee2ad7f27ac9cef8a91  f7020878397a7dcf7f661a166ae9fab5   \n",
       "\n",
       "            first_seen            last_seen      file_name  file_size  \\\n",
       "0  2020-08-26 11:43:22  2020-08-26 12:51:22  srt_join2.bin     280448   \n",
       "1  2020-08-26 11:43:05  2020-08-26 12:51:31  srt_join1.bin     348032   \n",
       "2  2020-08-25 12:41:01  2020-08-25 14:14:08  srt_join2.bin     274304   \n",
       "3  2020-08-25 12:40:48  2020-08-25 14:17:52  srt_join1.bin     324480   \n",
       "\n",
       "          file_type_mime file_type  ... anonymous  signature  \\\n",
       "0  application/x-dosexec       exe  ...         0      TA505   \n",
       "1  application/x-dosexec       dll  ...         0      TA505   \n",
       "2  application/x-dosexec       exe  ...         0      TA505   \n",
       "3  application/x-dosexec       dll  ...         0      TA505   \n",
       "\n",
       "                            imphash  \\\n",
       "0  099a636c552cf9ca90b2cb789202a343   \n",
       "1  4b9b01fb6891e95cfb189a66c9ebc808   \n",
       "2  cdf5bfe175bda0bb60d50a48dd0ca746   \n",
       "3  57bbb25cc369c676e719c14c25249dd8   \n",
       "\n",
       "                                                tlsh telfhash gimphash  \\\n",
       "0  2A54C09ADB23D2E4E869D5F07574B6733E363D08E26447...     None     None   \n",
       "1  C574E102BBD2D5B9C8CB843458B55A7C07BBCD663F4028...     None     None   \n",
       "2  D044CFA7DB57B1EEF952D630E5A47A337E353918A12C8E...     None     None   \n",
       "3  186402485AE24A3AF1E9023C51E60744A9652DB02F90A0...     None     None   \n",
       "\n",
       "                                              ssdeep dhash_icon  \\\n",
       "0  3072:5Zw1GCu5naotdOJb72+1zhgR0hbxVzTvtV3aLztDA...       None   \n",
       "1  6144:bTbhpsgZ09JTYNirD6tlMFnYmkx2/511qZb2ithvs...       None   \n",
       "2  6144:zU0DDlOPbQ6+aKVelI7PuUMtgE6+KFlBNJXjq7fAb...       None   \n",
       "3  6144:xXoWnIxqmbeF0x9QAd1HielOXYonTKF9YPbuHENCr...       None   \n",
       "\n",
       "                  tags                                          code_sign  \n",
       "0  [64bit, dll, TA505]  [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...  \n",
       "1  [32bit, dll, TA505]  [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...  \n",
       "2  [64bit, dll, TA505]  [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...  \n",
       "3  [32bit, dll, TA505]  [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...  \n",
       "\n",
       "[4 rows x 21 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"Ekitai Data Inc.\", mb_type='subjectinfo')\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Retrieves latest samples that matches the specified Certificate Serial Number"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 16,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>anonymous</th>\n",
       "      <th>signature</th>\n",
       "      <th>imphash</th>\n",
       "      <th>tlsh</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>1a49d434e0a95bd312d3d0a6d4fd5335830970bef8009e...</td>\n",
       "      <td>None</td>\n",
       "      <td>d10b67e61fcce873ecac3ff3b5fca077106ff4d4</td>\n",
       "      <td>5d3727294622a3191a33b87049e4fbaa</td>\n",
       "      <td>2020-11-04 17:11:15</td>\n",
       "      <td>None</td>\n",
       "      <td>1247015.exe</td>\n",
       "      <td>277456</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>Quakbot</td>\n",
       "      <td>015974618e9105226f001019d35e62e5</td>\n",
       "      <td>D944F12329799033F4220BB64DE6D2724C7D78685A3209...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:QLfhdM/bXZswyIZkEuHrBuYFCAN8XkwDLPUf:ivKb...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd...</td>\n",
       "      <td>None</td>\n",
       "      <td>5bafc16caa8e8a8a7f3e963c581e7c389a72cc4b</td>\n",
       "      <td>09c3b79f25e4fb96636099e1c032e440</td>\n",
       "      <td>2020-11-01 10:12:01</td>\n",
       "      <td>2020-11-07 12:50:41</td>\n",
       "      <td>e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>4844E04213E84445FC6B667A4CB2C32016527C95A72EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:CawCRk4Z0Nhb4s6g1IILx4r37gCyljA6+:+Gk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>d394623d69c8cbac395b6197210ae622fb98293d2cfcd6...</td>\n",
       "      <td>None</td>\n",
       "      <td>e33121ab4e815bb22c000e5283037f054c5c28a5</td>\n",
       "      <td>62891560f0dd59eb551625ed6450712e</td>\n",
       "      <td>2020-11-01 10:11:58</td>\n",
       "      <td>2020-11-06 10:55:49</td>\n",
       "      <td>d394623d69c8cbac395b6197210ae622fb98293d2cfcd6...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>EC44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa...</td>\n",
       "      <td>None</td>\n",
       "      <td>495247119b938027aa9b06be0453a7aab5715458</td>\n",
       "      <td>7234795ec5e1575c0fde8231830df585</td>\n",
       "      <td>2020-11-01 10:11:55</td>\n",
       "      <td>2020-11-07 12:48:51</td>\n",
       "      <td>d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>6944E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e...</td>\n",
       "      <td>None</td>\n",
       "      <td>466dd9671f9590f9d239bd2aa3f917c1a966d733</td>\n",
       "      <td>e93c2a807d6a6e8093b1e4d92976418f</td>\n",
       "      <td>2020-11-01 10:11:53</td>\n",
       "      <td>2020-11-06 11:28:35</td>\n",
       "      <td>b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>6544E04213E84445F86B667A4CB2C32016527C95A72EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:+awCRk4Z0Nhb4s6g1IILx4r37gCyljAri:qGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8...</td>\n",
       "      <td>None</td>\n",
       "      <td>6d3ac735ba3022c337cbb9a980ef29ce3879d234</td>\n",
       "      <td>076c9badb09bfadea92f797b8492039d</td>\n",
       "      <td>2020-11-01 10:11:50</td>\n",
       "      <td>2020-11-07 12:52:10</td>\n",
       "      <td>b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>1544E04213E84445FC6B667A4CB2C32016627C95A72EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:UawCRk4Z0Nhb4s6g1IILx4r37gCyljAWX:kGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860...</td>\n",
       "      <td>None</td>\n",
       "      <td>c4c3c49ecb41e79cbb3e156dd531926b6248f8c8</td>\n",
       "      <td>b3ffeafc033067e6fa3b1233db3720b4</td>\n",
       "      <td>2020-11-01 10:11:48</td>\n",
       "      <td>2020-11-06 11:11:36</td>\n",
       "      <td>b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>9E44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:qdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a...</td>\n",
       "      <td>None</td>\n",
       "      <td>70ab3c4af274fc98f9388460352fb35c71c57b14</td>\n",
       "      <td>0c480dd3889b16c97e5279bd4780eda1</td>\n",
       "      <td>2020-11-01 10:11:46</td>\n",
       "      <td>2020-11-06 11:22:41</td>\n",
       "      <td>303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>2144E04213E84445FC6B627A4CB2C32016527C95A76EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:pawCRk4Z0Nhb4s6g1IILx4r37gCyljA1A:vGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>67506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270...</td>\n",
       "      <td>None</td>\n",
       "      <td>920c5e99cc170eb91df304a18517e9f19296dfef</td>\n",
       "      <td>ee0ebee0f94b643807db675d43fee80a</td>\n",
       "      <td>2020-11-01 10:11:44</td>\n",
       "      <td>2020-11-07 12:51:09</td>\n",
       "      <td>67506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>EB44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:+dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>2964eeb4bb8c0efe746244428f24422aa311b216238faf...</td>\n",
       "      <td>None</td>\n",
       "      <td>c47e5c9ce2c229ea155d141b0cbc2ff2b7fb4aab</td>\n",
       "      <td>c7fda8ee4fc40075ce80747c4688942b</td>\n",
       "      <td>2020-11-01 10:11:42</td>\n",
       "      <td>2020-11-06 10:58:14</td>\n",
       "      <td>2964eeb4bb8c0efe746244428f24422aa311b216238faf...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>FA44E04213E84445FC6B667A4CB2C32016627C95A72EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:5awCRk4Z0Nhb4s6g1IILx4r37gCyljAyU:fGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>10</th>\n",
       "      <td>495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6...</td>\n",
       "      <td>None</td>\n",
       "      <td>41c6b58c5d6a930723462e438c4a9fda00ca4677</td>\n",
       "      <td>8819d42d87d41ef33804b444725453a1</td>\n",
       "      <td>2020-11-01 10:11:40</td>\n",
       "      <td>2020-11-06 11:37:21</td>\n",
       "      <td>495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>3744E0C2A3EC4044FAA652BB4073C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:zdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>11</th>\n",
       "      <td>162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe...</td>\n",
       "      <td>None</td>\n",
       "      <td>cf26b10796acb1a9ccc253090662a7b6c8833e8b</td>\n",
       "      <td>e491ece1e104ee96dd39a2349c1576a4</td>\n",
       "      <td>2020-11-01 10:11:38</td>\n",
       "      <td>2020-11-07 12:53:22</td>\n",
       "      <td>162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>D844E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:FdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>12</th>\n",
       "      <td>85aa8419001ffcc0dac6a29548dc0438c05261b842d625...</td>\n",
       "      <td>None</td>\n",
       "      <td>8824d0e2faf62218f05dfcf2bee3ec349018b386</td>\n",
       "      <td>8da737c1dc7d34d2c3b3157d29a156ad</td>\n",
       "      <td>2020-11-01 10:11:36</td>\n",
       "      <td>2020-11-06 11:09:45</td>\n",
       "      <td>85aa8419001ffcc0dac6a29548dc0438c05261b842d625...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>D144E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>13</th>\n",
       "      <td>46c407bc6a89726389f73de450a801d6d14a9fb97447f2...</td>\n",
       "      <td>None</td>\n",
       "      <td>a04121ab830393c7dd500f78e63e94c0d9603f5f</td>\n",
       "      <td>4c86351a2c1c889699ac9e3ebf831c72</td>\n",
       "      <td>2020-11-01 10:11:34</td>\n",
       "      <td>2020-11-07 12:52:49</td>\n",
       "      <td>46c407bc6a89726389f73de450a801d6d14a9fb97447f2...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>3F44E0C2A3E84044FAA652BB4073C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>14</th>\n",
       "      <td>037d8b7946f740cc7d4f72b8e133766c3f5ca141369707...</td>\n",
       "      <td>None</td>\n",
       "      <td>353c5ae6b7f7e75933b6a1021f3ed2d7afe1ed49</td>\n",
       "      <td>07c57f584f3b67f6026730ead1bfcb46</td>\n",
       "      <td>2020-11-01 10:11:32</td>\n",
       "      <td>2020-11-07 12:51:58</td>\n",
       "      <td>037d8b7946f740cc7d4f72b8e133766c3f5ca141369707...</td>\n",
       "      <td>263632</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td>303f89b8f429d52fa9a67ddad2dbfa52</td>\n",
       "      <td>7544E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:7dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>15</th>\n",
       "      <td>16f511f7fdc83981b31b85fe6c42591093db5397d7634b...</td>\n",
       "      <td>None</td>\n",
       "      <td>04a1650ec2c3e5b87865cf5ef36c7bfdc486d03d</td>\n",
       "      <td>15f3bcd8d6edacb9432e69ed7c218d63</td>\n",
       "      <td>2020-11-01 10:11:30</td>\n",
       "      <td>2020-11-06 11:35:27</td>\n",
       "      <td>16f511f7fdc83981b31b85fe6c42591093db5397d7634b...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>5A44D04213E84445FC6B667A4CB2C32016527C95A72EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:lawCRk4Z0Nhb4s6g1IILx4r37gCyljAqT:bGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>16</th>\n",
       "      <td>9d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a...</td>\n",
       "      <td>None</td>\n",
       "      <td>93f94d86e22ddcd9659b37263cb5c826db3b21e3</td>\n",
       "      <td>2652cb6dede0a322f2aaa727ba63bc91</td>\n",
       "      <td>2020-11-01 10:11:28</td>\n",
       "      <td>2020-11-06 11:33:28</td>\n",
       "      <td>9d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>C744E04213EC4445F86B667A4CB2C32016527C95A72EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:SawCRk4Z0Nhb4s6g1IILx4r37gCyljAWx:uGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>17</th>\n",
       "      <td>3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55...</td>\n",
       "      <td>None</td>\n",
       "      <td>d5a6c35bbeb0990bb7d890abdaca1533f31305a2</td>\n",
       "      <td>288bc129d402228bb3cac14828d26ecf</td>\n",
       "      <td>2020-11-01 10:11:26</td>\n",
       "      <td>2020-11-07 12:50:21</td>\n",
       "      <td>3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>3E44E04213E84445F86B667A4CB2C32016627C95972EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:PawCRk4Z0Nhb4s6g1IILx4r37gCyljAEg:ZGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>18</th>\n",
       "      <td>1f622642ed6ea23622fb1786f08270c81b635c29b00350...</td>\n",
       "      <td>None</td>\n",
       "      <td>4eada9d3ff43852dbe527d8558358506eba58b6f</td>\n",
       "      <td>c0e542a6270d57d5dc2c319a79e91c69</td>\n",
       "      <td>2020-11-01 10:11:16</td>\n",
       "      <td>2020-11-06 11:29:57</td>\n",
       "      <td>1f622642ed6ea23622fb1786f08270c81b635c29b00350...</td>\n",
       "      <td>261072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>0</td>\n",
       "      <td>QuakBot</td>\n",
       "      <td></td>\n",
       "      <td>1E44E04213E84445F86B627A4CB2C32016627C95676EAF...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:tawCRk4Z0Nhb4s6g1IILx4r37gCyljAMl:zGk4Zkh...</td>\n",
       "      <td>None</td>\n",
       "      <td>[APPI CZ a.s, Qakbot, Quakbot, signed]</td>\n",
       "      <td>[{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>19 rows × 21 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                          sha256_hash sha3_384_hash  \\\n",
       "0   1a49d434e0a95bd312d3d0a6d4fd5335830970bef8009e...          None   \n",
       "1   e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd...          None   \n",
       "2   d394623d69c8cbac395b6197210ae622fb98293d2cfcd6...          None   \n",
       "3   d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa...          None   \n",
       "4   b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e...          None   \n",
       "5   b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8...          None   \n",
       "6   b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860...          None   \n",
       "7   303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a...          None   \n",
       "8   67506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270...          None   \n",
       "9   2964eeb4bb8c0efe746244428f24422aa311b216238faf...          None   \n",
       "10  495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6...          None   \n",
       "11  162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe...          None   \n",
       "12  85aa8419001ffcc0dac6a29548dc0438c05261b842d625...          None   \n",
       "13  46c407bc6a89726389f73de450a801d6d14a9fb97447f2...          None   \n",
       "14  037d8b7946f740cc7d4f72b8e133766c3f5ca141369707...          None   \n",
       "15  16f511f7fdc83981b31b85fe6c42591093db5397d7634b...          None   \n",
       "16  9d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a...          None   \n",
       "17  3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55...          None   \n",
       "18  1f622642ed6ea23622fb1786f08270c81b635c29b00350...          None   \n",
       "\n",
       "                                   sha1_hash  \\\n",
       "0   d10b67e61fcce873ecac3ff3b5fca077106ff4d4   \n",
       "1   5bafc16caa8e8a8a7f3e963c581e7c389a72cc4b   \n",
       "2   e33121ab4e815bb22c000e5283037f054c5c28a5   \n",
       "3   495247119b938027aa9b06be0453a7aab5715458   \n",
       "4   466dd9671f9590f9d239bd2aa3f917c1a966d733   \n",
       "5   6d3ac735ba3022c337cbb9a980ef29ce3879d234   \n",
       "6   c4c3c49ecb41e79cbb3e156dd531926b6248f8c8   \n",
       "7   70ab3c4af274fc98f9388460352fb35c71c57b14   \n",
       "8   920c5e99cc170eb91df304a18517e9f19296dfef   \n",
       "9   c47e5c9ce2c229ea155d141b0cbc2ff2b7fb4aab   \n",
       "10  41c6b58c5d6a930723462e438c4a9fda00ca4677   \n",
       "11  cf26b10796acb1a9ccc253090662a7b6c8833e8b   \n",
       "12  8824d0e2faf62218f05dfcf2bee3ec349018b386   \n",
       "13  a04121ab830393c7dd500f78e63e94c0d9603f5f   \n",
       "14  353c5ae6b7f7e75933b6a1021f3ed2d7afe1ed49   \n",
       "15  04a1650ec2c3e5b87865cf5ef36c7bfdc486d03d   \n",
       "16  93f94d86e22ddcd9659b37263cb5c826db3b21e3   \n",
       "17  d5a6c35bbeb0990bb7d890abdaca1533f31305a2   \n",
       "18  4eada9d3ff43852dbe527d8558358506eba58b6f   \n",
       "\n",
       "                            md5_hash           first_seen  \\\n",
       "0   5d3727294622a3191a33b87049e4fbaa  2020-11-04 17:11:15   \n",
       "1   09c3b79f25e4fb96636099e1c032e440  2020-11-01 10:12:01   \n",
       "2   62891560f0dd59eb551625ed6450712e  2020-11-01 10:11:58   \n",
       "3   7234795ec5e1575c0fde8231830df585  2020-11-01 10:11:55   \n",
       "4   e93c2a807d6a6e8093b1e4d92976418f  2020-11-01 10:11:53   \n",
       "5   076c9badb09bfadea92f797b8492039d  2020-11-01 10:11:50   \n",
       "6   b3ffeafc033067e6fa3b1233db3720b4  2020-11-01 10:11:48   \n",
       "7   0c480dd3889b16c97e5279bd4780eda1  2020-11-01 10:11:46   \n",
       "8   ee0ebee0f94b643807db675d43fee80a  2020-11-01 10:11:44   \n",
       "9   c7fda8ee4fc40075ce80747c4688942b  2020-11-01 10:11:42   \n",
       "10  8819d42d87d41ef33804b444725453a1  2020-11-01 10:11:40   \n",
       "11  e491ece1e104ee96dd39a2349c1576a4  2020-11-01 10:11:38   \n",
       "12  8da737c1dc7d34d2c3b3157d29a156ad  2020-11-01 10:11:36   \n",
       "13  4c86351a2c1c889699ac9e3ebf831c72  2020-11-01 10:11:34   \n",
       "14  07c57f584f3b67f6026730ead1bfcb46  2020-11-01 10:11:32   \n",
       "15  15f3bcd8d6edacb9432e69ed7c218d63  2020-11-01 10:11:30   \n",
       "16  2652cb6dede0a322f2aaa727ba63bc91  2020-11-01 10:11:28   \n",
       "17  288bc129d402228bb3cac14828d26ecf  2020-11-01 10:11:26   \n",
       "18  c0e542a6270d57d5dc2c319a79e91c69  2020-11-01 10:11:16   \n",
       "\n",
       "              last_seen                                          file_name  \\\n",
       "0                  None                                        1247015.exe   \n",
       "1   2020-11-07 12:50:41  e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd...   \n",
       "2   2020-11-06 10:55:49  d394623d69c8cbac395b6197210ae622fb98293d2cfcd6...   \n",
       "3   2020-11-07 12:48:51  d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa...   \n",
       "4   2020-11-06 11:28:35  b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e...   \n",
       "5   2020-11-07 12:52:10  b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8...   \n",
       "6   2020-11-06 11:11:36  b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860...   \n",
       "7   2020-11-06 11:22:41  303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a...   \n",
       "8   2020-11-07 12:51:09  67506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270...   \n",
       "9   2020-11-06 10:58:14  2964eeb4bb8c0efe746244428f24422aa311b216238faf...   \n",
       "10  2020-11-06 11:37:21  495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6...   \n",
       "11  2020-11-07 12:53:22  162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe...   \n",
       "12  2020-11-06 11:09:45  85aa8419001ffcc0dac6a29548dc0438c05261b842d625...   \n",
       "13  2020-11-07 12:52:49  46c407bc6a89726389f73de450a801d6d14a9fb97447f2...   \n",
       "14  2020-11-07 12:51:58  037d8b7946f740cc7d4f72b8e133766c3f5ca141369707...   \n",
       "15  2020-11-06 11:35:27  16f511f7fdc83981b31b85fe6c42591093db5397d7634b...   \n",
       "16  2020-11-06 11:33:28  9d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a...   \n",
       "17  2020-11-07 12:50:21  3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55...   \n",
       "18  2020-11-06 11:29:57  1f622642ed6ea23622fb1786f08270c81b635c29b00350...   \n",
       "\n",
       "    file_size         file_type_mime file_type  ... anonymous  signature  \\\n",
       "0      277456  application/x-dosexec       exe  ...         0    Quakbot   \n",
       "1      261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "2      263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "3      263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "4      261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "5      261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "6      263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "7      261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "8      263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "9      261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "10     263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "11     263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "12     263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "13     263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "14     263632  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "15     261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "16     261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "17     261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "18     261072  application/x-dosexec       exe  ...         0    QuakBot   \n",
       "\n",
       "                             imphash  \\\n",
       "0   015974618e9105226f001019d35e62e5   \n",
       "1                                      \n",
       "2   303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "3   303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "4                                      \n",
       "5                                      \n",
       "6   303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "7                                      \n",
       "8   303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "9                                      \n",
       "10  303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "11  303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "12  303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "13  303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "14  303f89b8f429d52fa9a67ddad2dbfa52   \n",
       "15                                     \n",
       "16                                     \n",
       "17                                     \n",
       "18                                     \n",
       "\n",
       "                                                 tlsh telfhash gimphash  \\\n",
       "0   D944F12329799033F4220BB64DE6D2724C7D78685A3209...     None     None   \n",
       "1   4844E04213E84445FC6B667A4CB2C32016527C95A72EAF...     None     None   \n",
       "2   EC44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...     None     None   \n",
       "3   6944E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...     None     None   \n",
       "4   6544E04213E84445F86B667A4CB2C32016527C95A72EAF...     None     None   \n",
       "5   1544E04213E84445FC6B667A4CB2C32016627C95A72EAF...     None     None   \n",
       "6   9E44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...     None     None   \n",
       "7   2144E04213E84445FC6B627A4CB2C32016527C95A76EAF...     None     None   \n",
       "8   EB44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...     None     None   \n",
       "9   FA44E04213E84445FC6B667A4CB2C32016627C95A72EAF...     None     None   \n",
       "10  3744E0C2A3EC4044FAA652BB4073C3153A217D5D983EAB...     None     None   \n",
       "11  D844E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...     None     None   \n",
       "12  D144E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...     None     None   \n",
       "13  3F44E0C2A3E84044FAA652BB4073C3153A217D5D983EAB...     None     None   \n",
       "14  7544E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...     None     None   \n",
       "15  5A44D04213E84445FC6B667A4CB2C32016527C95A72EAF...     None     None   \n",
       "16  C744E04213EC4445F86B667A4CB2C32016527C95A72EAF...     None     None   \n",
       "17  3E44E04213E84445F86B667A4CB2C32016627C95972EAF...     None     None   \n",
       "18  1E44E04213E84445F86B627A4CB2C32016627C95676EAF...     None     None   \n",
       "\n",
       "                                               ssdeep dhash_icon  \\\n",
       "0   6144:QLfhdM/bXZswyIZkEuHrBuYFCAN8XkwDLPUf:ivKb...       None   \n",
       "1   6144:CawCRk4Z0Nhb4s6g1IILx4r37gCyljA6+:+Gk4Zkh...       None   \n",
       "2   6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "3   6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "4   6144:+awCRk4Z0Nhb4s6g1IILx4r37gCyljAri:qGk4Zkh...       None   \n",
       "5   6144:UawCRk4Z0Nhb4s6g1IILx4r37gCyljAWX:kGk4Zkh...       None   \n",
       "6   6144:qdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "7   6144:pawCRk4Z0Nhb4s6g1IILx4r37gCyljA1A:vGk4Zkh...       None   \n",
       "8   6144:+dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "9   6144:5awCRk4Z0Nhb4s6g1IILx4r37gCyljAyU:fGk4Zkh...       None   \n",
       "10  6144:zdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "11  6144:FdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "12  6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "13  6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "14  6144:7dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...       None   \n",
       "15  6144:lawCRk4Z0Nhb4s6g1IILx4r37gCyljAqT:bGk4Zkh...       None   \n",
       "16  6144:SawCRk4Z0Nhb4s6g1IILx4r37gCyljAWx:uGk4Zkh...       None   \n",
       "17  6144:PawCRk4Z0Nhb4s6g1IILx4r37gCyljAEg:ZGk4Zkh...       None   \n",
       "18  6144:tawCRk4Z0Nhb4s6g1IILx4r37gCyljAMl:zGk4Zkh...       None   \n",
       "\n",
       "                                      tags  \\\n",
       "0                   [exe, Quakbot, signed]   \n",
       "1   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "2   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "3   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "4   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "5   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "6   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "7   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "8   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "9   [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "10  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "11  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "12  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "13  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "14  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "15  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "16  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "17  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "18  [APPI CZ a.s, Qakbot, Quakbot, signed]   \n",
       "\n",
       "                                            code_sign  \n",
       "0   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "1   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "2   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "3   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "4   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "5   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "6   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "7   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "8   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "9   [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "10  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "11  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "12  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "13  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "14  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "15  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "16  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "17  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "18  [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...  \n",
       "\n",
       "[19 rows x 21 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbdetail = mblookup.lookup_ioc(observable=\"51CD5393514F7ACE2B407C3DBFB09D8D\", mb_type='certificate')\n",
    "display(mbdetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Recent Samples added\n",
    "\n",
    "It is possible to retrieve the recent samples added to the Malware Bazaar database by using the function get_recent(). \n",
    "\n",
    "This function takes in parameter a 'selector' that can be:\n",
    "* 'time': to retrieve the samples added in the latest 60 minutes\n",
    "* 100: to get the latest 100 samples\n",
    "\n",
    "The below examples shows how to use it. "
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 19,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...</td>\n",
       "      <td>054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...</td>\n",
       "      <td>b89f8a9d02dbb2139430a1a30314e4f2cff29f71</td>\n",
       "      <td>6444777ae59bee41428a9c3a53741c80</td>\n",
       "      <td>2022-08-11 09:29:03</td>\n",
       "      <td>None</td>\n",
       "      <td>91361.doc</td>\n",
       "      <td>9068</td>\n",
       "      <td>application/octet-stream</td>\n",
       "      <td>unknown</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>16</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>ce1e8e57264e84d75ed4960855768418c7a73707d0855d...</td>\n",
       "      <td>2945d468176ca3766e5982574652025887cdce34028f4c...</td>\n",
       "      <td>7fd429ceb24c476a9b3796fe71961575e7637738</td>\n",
       "      <td>fea743ac96b30d64f914d491e802abc1</td>\n",
       "      <td>2022-08-11 09:22:06</td>\n",
       "      <td>None</td>\n",
       "      <td>Copia di pagamento-3400753232678_001-11.08.202...</td>\n",
       "      <td>625664</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...</td>\n",
       "      <td>d4e2c8b4ccc8f2cc</td>\n",
       "      <td>[agenttesla, exe]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>121</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...</td>\n",
       "      <td>05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...</td>\n",
       "      <td>e03a9f658327fc96d774ae19d714add257a10d88</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>2022-08-11 09:19:47</td>\n",
       "      <td>None</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>834560</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, RemcosRAT, trojan]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>111</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...</td>\n",
       "      <td>7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...</td>\n",
       "      <td>69bf7182f7cd72ca775be7736b843345efbbdc0e</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>2022-08-11 09:19:27</td>\n",
       "      <td>None</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>857600</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, Formbook, trojan]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>101</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...</td>\n",
       "      <td>513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...</td>\n",
       "      <td>117b1e130cc2f2406b0f38d3b3677e4699f65214</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>2022-08-11 09:19:13</td>\n",
       "      <td>None</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>879616</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, AgentTesla, exe]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>107</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>f2a4cc133dfeca5432bf22c2817aeb8edb434057711727...</td>\n",
       "      <td>13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f...</td>\n",
       "      <td>b1eedf6d0b197b0d743e60390864aa279f1f915a</td>\n",
       "      <td>b9694513a38e321b8cbfd807367b7e21</td>\n",
       "      <td>2022-08-11 09:15:26</td>\n",
       "      <td>None</td>\n",
       "      <td>Project sheets.pdf.exe</td>\n",
       "      <td>147736</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM...</td>\n",
       "      <td>d2e8ecb2b2a2b282</td>\n",
       "      <td>[exe, Loki]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>122</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>f53a803c52691f8506f33d2719028822db93ae1799d0ba...</td>\n",
       "      <td>32b0422e11faafaa49f39f0df7b093cddeb316f5087134...</td>\n",
       "      <td>9b2c6fddac6ea6c27a2c5c25d515d389429703c0</td>\n",
       "      <td>4e416bdf228c332a60a4fc0d8326373f</td>\n",
       "      <td>2022-08-11 09:00:33</td>\n",
       "      <td>None</td>\n",
       "      <td>4e416bdf228c332a60a4fc0d8326373f.exe</td>\n",
       "      <td>207360</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, NanoCore, RAT]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>145</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>ba66c7a46a35c1b38aa76a199ae19a65674786771b153e...</td>\n",
       "      <td>5983e487146283ae8c880a5c21b7ef989307d0a0327d59...</td>\n",
       "      <td>b340afd00d6feb4da15b9b10446417e51d3f7082</td>\n",
       "      <td>e6ae2071837c90e79a7f4c6e8e778f0f</td>\n",
       "      <td>2022-08-11 09:00:31</td>\n",
       "      <td>None</td>\n",
       "      <td>e6ae2071837c90e79a7f4c6e8e778f0f.exe</td>\n",
       "      <td>923829</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E...</td>\n",
       "      <td>b298acbab2ca7a72</td>\n",
       "      <td>[exe, RecordBreaker]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>133</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>93b24291abe4b2c7d3eebd64168cf86e5b36571bd30645...</td>\n",
       "      <td>bc79bfe7cf79004f707014cae678bb19a55a91402cc143...</td>\n",
       "      <td>92b194b6c75c6c2e8e693fca7f0c660fbcd70be5</td>\n",
       "      <td>76755f4c31240a6247689c0ffdc6e627</td>\n",
       "      <td>2022-08-11 08:45:49</td>\n",
       "      <td>None</td>\n",
       "      <td>AST_928765425672-09876353B.exe</td>\n",
       "      <td>864256</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:...</td>\n",
       "      <td>c496b2b8fcccacdc</td>\n",
       "      <td>[AgentTesla, exe]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>175</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>08375457359c0439dde333b220071987d355b3a2b0aa9f...</td>\n",
       "      <td>ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b...</td>\n",
       "      <td>58133e441cebee95176aba75ef533a99af208758</td>\n",
       "      <td>bb2518245e5b20e35c7a22521be3b6fb</td>\n",
       "      <td>2022-08-11 08:45:38</td>\n",
       "      <td>None</td>\n",
       "      <td>MV TONIC_CTM REQUEST.exe</td>\n",
       "      <td>762368</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC...</td>\n",
       "      <td>None</td>\n",
       "      <td>[exe, Loki]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>159</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>10</th>\n",
       "      <td>f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6...</td>\n",
       "      <td>936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01...</td>\n",
       "      <td>cd8ddf4094ff130568ace0dfc578500213eb5be4</td>\n",
       "      <td>d3c1e94c64ce0e37e03af92f18067ea4</td>\n",
       "      <td>2022-08-11 08:40:28</td>\n",
       "      <td>None</td>\n",
       "      <td>d3c1e94c64ce0e37e03af92f18067ea4.exe</td>\n",
       "      <td>922983</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E...</td>\n",
       "      <td>b298acbab2ca7a72</td>\n",
       "      <td>[exe, RecordBreaker]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>158</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>11</th>\n",
       "      <td>cce110eed95c36bf618669b1a290ee90b5152ee9c660b6...</td>\n",
       "      <td>c5becc588aaf916b5e3410577e7da0c584580acb8b9133...</td>\n",
       "      <td>998f81830fedf6ed17772adbafb0e35f4db90921</td>\n",
       "      <td>50e4b08657bacf6cc461e5b804bf6327</td>\n",
       "      <td>2022-08-11 08:33:42</td>\n",
       "      <td>None</td>\n",
       "      <td>Cerere de oferta P.0- 202208100237RO.vbs</td>\n",
       "      <td>3279</td>\n",
       "      <td>text/plain</td>\n",
       "      <td>vbs</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>48:7VH5HxRyYdZGYG6QSdtBGJS8rSMB0sAZtBL0Bd1lzyo...</td>\n",
       "      <td>None</td>\n",
       "      <td>[RemcosRAT, vbs]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>92</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>12</th>\n",
       "      <td>6461adafdbd61960915775dea557e0e90befe75f1dd4e5...</td>\n",
       "      <td>22e9653bd814fd0e4c1f56f32531089bafcd274bb5a80e...</td>\n",
       "      <td>656b499793e15d10ff2f5c390fe68b0936747bf4</td>\n",
       "      <td>0981f372b79a6cb066b549f77222ed99</td>\n",
       "      <td>2022-08-11 08:33:22</td>\n",
       "      <td>None</td>\n",
       "      <td>Blocked_Mtcn_pdf.jar</td>\n",
       "      <td>762743</td>\n",
       "      <td>application/zip</td>\n",
       "      <td>jar</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:pYLm8IIt9zaZOodSEq0MmKKpwF5RL+g581tQWyq2...</td>\n",
       "      <td>None</td>\n",
       "      <td>[jar, Vjw0rm]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>93</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>13</th>\n",
       "      <td>2d879a04feb390c4a7fcf0351a18ac23b203936dac3dcf...</td>\n",
       "      <td>6691d54452ae7f6edbbae5340a96021673d31cf1e82b43...</td>\n",
       "      <td>c77c349436d747a1509870d687221ada7528ecae</td>\n",
       "      <td>f8d8bd0c38f4c99a83a38856fa9b7e4e</td>\n",
       "      <td>2022-08-11 08:33:10</td>\n",
       "      <td>None</td>\n",
       "      <td>Dhl.exe</td>\n",
       "      <td>109568</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>192:Gy1HDYwzBbx3Z5FvmTAOeqfOZQNdDnHOiSa52nkwi6...</td>\n",
       "      <td>0000000000000000</td>\n",
       "      <td>[DHL, exe, Formbook]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>176</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>14</th>\n",
       "      <td>aa7436d336aa352db635976f19fe9f6fce9078608d3fdb...</td>\n",
       "      <td>f8e4f386d86829a3e01c46da571c694079c16a7bbec253...</td>\n",
       "      <td>6f091e5c2c085341e4b95b79b9d0f5738f3adb55</td>\n",
       "      <td>382b66f8a5dca1305cf1e5de83b7fdef</td>\n",
       "      <td>2022-08-11 08:32:53</td>\n",
       "      <td>None</td>\n",
       "      <td>TNT Original Invoice.exe</td>\n",
       "      <td>289824</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>6144:joq5HAUwC5UM1kSlTXmLAtBP8wGYmLReHgcaVkJvp...</td>\n",
       "      <td>d2e8ecb2b2a2b282</td>\n",
       "      <td>[exe, Formbook, TNT, VelvetSweatshop]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>166</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>15 rows × 26 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                          sha256_hash  \\\n",
       "0   f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...   \n",
       "1   ce1e8e57264e84d75ed4960855768418c7a73707d0855d...   \n",
       "2   2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...   \n",
       "3   6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...   \n",
       "4   9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...   \n",
       "5   f2a4cc133dfeca5432bf22c2817aeb8edb434057711727...   \n",
       "6   f53a803c52691f8506f33d2719028822db93ae1799d0ba...   \n",
       "7   ba66c7a46a35c1b38aa76a199ae19a65674786771b153e...   \n",
       "8   93b24291abe4b2c7d3eebd64168cf86e5b36571bd30645...   \n",
       "9   08375457359c0439dde333b220071987d355b3a2b0aa9f...   \n",
       "10  f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6...   \n",
       "11  cce110eed95c36bf618669b1a290ee90b5152ee9c660b6...   \n",
       "12  6461adafdbd61960915775dea557e0e90befe75f1dd4e5...   \n",
       "13  2d879a04feb390c4a7fcf0351a18ac23b203936dac3dcf...   \n",
       "14  aa7436d336aa352db635976f19fe9f6fce9078608d3fdb...   \n",
       "\n",
       "                                        sha3_384_hash  \\\n",
       "0   054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...   \n",
       "1   2945d468176ca3766e5982574652025887cdce34028f4c...   \n",
       "2   05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...   \n",
       "3   7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...   \n",
       "4   513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...   \n",
       "5   13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f...   \n",
       "6   32b0422e11faafaa49f39f0df7b093cddeb316f5087134...   \n",
       "7   5983e487146283ae8c880a5c21b7ef989307d0a0327d59...   \n",
       "8   bc79bfe7cf79004f707014cae678bb19a55a91402cc143...   \n",
       "9   ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b...   \n",
       "10  936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01...   \n",
       "11  c5becc588aaf916b5e3410577e7da0c584580acb8b9133...   \n",
       "12  22e9653bd814fd0e4c1f56f32531089bafcd274bb5a80e...   \n",
       "13  6691d54452ae7f6edbbae5340a96021673d31cf1e82b43...   \n",
       "14  f8e4f386d86829a3e01c46da571c694079c16a7bbec253...   \n",
       "\n",
       "                                   sha1_hash  \\\n",
       "0   b89f8a9d02dbb2139430a1a30314e4f2cff29f71   \n",
       "1   7fd429ceb24c476a9b3796fe71961575e7637738   \n",
       "2   e03a9f658327fc96d774ae19d714add257a10d88   \n",
       "3   69bf7182f7cd72ca775be7736b843345efbbdc0e   \n",
       "4   117b1e130cc2f2406b0f38d3b3677e4699f65214   \n",
       "5   b1eedf6d0b197b0d743e60390864aa279f1f915a   \n",
       "6   9b2c6fddac6ea6c27a2c5c25d515d389429703c0   \n",
       "7   b340afd00d6feb4da15b9b10446417e51d3f7082   \n",
       "8   92b194b6c75c6c2e8e693fca7f0c660fbcd70be5   \n",
       "9   58133e441cebee95176aba75ef533a99af208758   \n",
       "10  cd8ddf4094ff130568ace0dfc578500213eb5be4   \n",
       "11  998f81830fedf6ed17772adbafb0e35f4db90921   \n",
       "12  656b499793e15d10ff2f5c390fe68b0936747bf4   \n",
       "13  c77c349436d747a1509870d687221ada7528ecae   \n",
       "14  6f091e5c2c085341e4b95b79b9d0f5738f3adb55   \n",
       "\n",
       "                            md5_hash           first_seen last_seen  \\\n",
       "0   6444777ae59bee41428a9c3a53741c80  2022-08-11 09:29:03      None   \n",
       "1   fea743ac96b30d64f914d491e802abc1  2022-08-11 09:22:06      None   \n",
       "2   2f4a3782d2ab90126ff927026dac5077  2022-08-11 09:19:47      None   \n",
       "3   ca25cc1a0351513cbb0bb70343b03862  2022-08-11 09:19:27      None   \n",
       "4   57ecac082ee320cf94b2de1a0927a994  2022-08-11 09:19:13      None   \n",
       "5   b9694513a38e321b8cbfd807367b7e21  2022-08-11 09:15:26      None   \n",
       "6   4e416bdf228c332a60a4fc0d8326373f  2022-08-11 09:00:33      None   \n",
       "7   e6ae2071837c90e79a7f4c6e8e778f0f  2022-08-11 09:00:31      None   \n",
       "8   76755f4c31240a6247689c0ffdc6e627  2022-08-11 08:45:49      None   \n",
       "9   bb2518245e5b20e35c7a22521be3b6fb  2022-08-11 08:45:38      None   \n",
       "10  d3c1e94c64ce0e37e03af92f18067ea4  2022-08-11 08:40:28      None   \n",
       "11  50e4b08657bacf6cc461e5b804bf6327  2022-08-11 08:33:42      None   \n",
       "12  0981f372b79a6cb066b549f77222ed99  2022-08-11 08:33:22      None   \n",
       "13  f8d8bd0c38f4c99a83a38856fa9b7e4e  2022-08-11 08:33:10      None   \n",
       "14  382b66f8a5dca1305cf1e5de83b7fdef  2022-08-11 08:32:53      None   \n",
       "\n",
       "                                            file_name  file_size  \\\n",
       "0                                           91361.doc       9068   \n",
       "1   Copia di pagamento-3400753232678_001-11.08.202...     625664   \n",
       "2                    2f4a3782d2ab90126ff927026dac5077     834560   \n",
       "3                    ca25cc1a0351513cbb0bb70343b03862     857600   \n",
       "4                    57ecac082ee320cf94b2de1a0927a994     879616   \n",
       "5                              Project sheets.pdf.exe     147736   \n",
       "6                4e416bdf228c332a60a4fc0d8326373f.exe     207360   \n",
       "7                e6ae2071837c90e79a7f4c6e8e778f0f.exe     923829   \n",
       "8                      AST_928765425672-09876353B.exe     864256   \n",
       "9                            MV TONIC_CTM REQUEST.exe     762368   \n",
       "10               d3c1e94c64ce0e37e03af92f18067ea4.exe     922983   \n",
       "11           Cerere de oferta P.0- 202208100237RO.vbs       3279   \n",
       "12                               Blocked_Mtcn_pdf.jar     762743   \n",
       "13                                            Dhl.exe     109568   \n",
       "14                           TNT Original Invoice.exe     289824   \n",
       "\n",
       "              file_type_mime file_type  ... telfhash gimphash  \\\n",
       "0   application/octet-stream   unknown  ...     None     None   \n",
       "1      application/x-dosexec       exe  ...     None     None   \n",
       "2      application/x-dosexec       exe  ...     None     None   \n",
       "3      application/x-dosexec       exe  ...     None     None   \n",
       "4      application/x-dosexec       exe  ...     None     None   \n",
       "5      application/x-dosexec       exe  ...     None     None   \n",
       "6      application/x-dosexec       exe  ...     None     None   \n",
       "7      application/x-dosexec       exe  ...     None     None   \n",
       "8      application/x-dosexec       exe  ...     None     None   \n",
       "9      application/x-dosexec       exe  ...     None     None   \n",
       "10     application/x-dosexec       exe  ...     None     None   \n",
       "11                text/plain       vbs  ...     None     None   \n",
       "12           application/zip       jar  ...     None     None   \n",
       "13     application/x-dosexec       exe  ...     None     None   \n",
       "14     application/x-dosexec       exe  ...     None     None   \n",
       "\n",
       "                                               ssdeep        dhash_icon  \\\n",
       "0   192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...              None   \n",
       "1   12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...  d4e2c8b4ccc8f2cc   \n",
       "2   12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...              None   \n",
       "3   12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...              None   \n",
       "4   24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...              None   \n",
       "5   3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM...  d2e8ecb2b2a2b282   \n",
       "6   3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs...              None   \n",
       "7   24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E...  b298acbab2ca7a72   \n",
       "8   12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:...  c496b2b8fcccacdc   \n",
       "9   12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC...              None   \n",
       "10  24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E...  b298acbab2ca7a72   \n",
       "11  48:7VH5HxRyYdZGYG6QSdtBGJS8rSMB0sAZtBL0Bd1lzyo...              None   \n",
       "12  12288:pYLm8IIt9zaZOodSEq0MmKKpwF5RL+g581tQWyq2...              None   \n",
       "13  192:Gy1HDYwzBbx3Z5FvmTAOeqfOZQNdDnHOiSa52nkwi6...  0000000000000000   \n",
       "14  6144:joq5HAUwC5UM1kSlTXmLAtBP8wGYmLReHgcaVkJvp...  d2e8ecb2b2a2b282   \n",
       "\n",
       "                                     tags code_sign intelligence.clamav  \\\n",
       "0                                    None        []                None   \n",
       "1                       [agenttesla, exe]        []                None   \n",
       "2            [32, exe, RemcosRAT, trojan]        []                None   \n",
       "3             [32, exe, Formbook, trojan]        []                None   \n",
       "4                   [32, AgentTesla, exe]        []                None   \n",
       "5                             [exe, Loki]        []                None   \n",
       "6                    [exe, NanoCore, RAT]        []                None   \n",
       "7                    [exe, RecordBreaker]        []                None   \n",
       "8                       [AgentTesla, exe]        []                None   \n",
       "9                             [exe, Loki]        []                None   \n",
       "10                   [exe, RecordBreaker]        []                None   \n",
       "11                       [RemcosRAT, vbs]        []                None   \n",
       "12                          [jar, Vjw0rm]        []                None   \n",
       "13                   [DHL, exe, Formbook]        []                None   \n",
       "14  [exe, Formbook, TNT, VelvetSweatshop]        []                None   \n",
       "\n",
       "   intelligence.downloads intelligence.uploads intelligence.mail  \n",
       "0                      16                    1              None  \n",
       "1                     121                    1              None  \n",
       "2                     111                    1              None  \n",
       "3                     101                    1              None  \n",
       "4                     107                    1              None  \n",
       "5                     122                    1              None  \n",
       "6                     145                    1              None  \n",
       "7                     133                    1              None  \n",
       "8                     175                    1              None  \n",
       "9                     159                    1              None  \n",
       "10                    158                    1              None  \n",
       "11                     92                    1              None  \n",
       "12                     93                    1              None  \n",
       "13                    176                    1              None  \n",
       "14                    166                    1              None  \n",
       "\n",
       "[15 rows x 26 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbrecent = mblookup.get_recent(selector='time')\n",
    "display(mbrecent)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 20,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...</td>\n",
       "      <td>054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...</td>\n",
       "      <td>b89f8a9d02dbb2139430a1a30314e4f2cff29f71</td>\n",
       "      <td>6444777ae59bee41428a9c3a53741c80</td>\n",
       "      <td>2022-08-11 09:29:03</td>\n",
       "      <td>None</td>\n",
       "      <td>91361.doc</td>\n",
       "      <td>9068</td>\n",
       "      <td>application/octet-stream</td>\n",
       "      <td>unknown</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>16</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>ce1e8e57264e84d75ed4960855768418c7a73707d0855d...</td>\n",
       "      <td>2945d468176ca3766e5982574652025887cdce34028f4c...</td>\n",
       "      <td>7fd429ceb24c476a9b3796fe71961575e7637738</td>\n",
       "      <td>fea743ac96b30d64f914d491e802abc1</td>\n",
       "      <td>2022-08-11 09:22:06</td>\n",
       "      <td>None</td>\n",
       "      <td>Copia di pagamento-3400753232678_001-11.08.202...</td>\n",
       "      <td>625664</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...</td>\n",
       "      <td>d4e2c8b4ccc8f2cc</td>\n",
       "      <td>[agenttesla, exe]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>121</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...</td>\n",
       "      <td>05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...</td>\n",
       "      <td>e03a9f658327fc96d774ae19d714add257a10d88</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>2022-08-11 09:19:47</td>\n",
       "      <td>None</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>834560</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, RemcosRAT, trojan]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>111</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...</td>\n",
       "      <td>7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...</td>\n",
       "      <td>69bf7182f7cd72ca775be7736b843345efbbdc0e</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>2022-08-11 09:19:27</td>\n",
       "      <td>None</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>857600</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, Formbook, trojan]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>101</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...</td>\n",
       "      <td>513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...</td>\n",
       "      <td>117b1e130cc2f2406b0f38d3b3677e4699f65214</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>2022-08-11 09:19:13</td>\n",
       "      <td>None</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>879616</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, AgentTesla, exe]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>107</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>...</th>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>95</th>\n",
       "      <td>4277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b...</td>\n",
       "      <td>48f23ca01941f503b427a82051addc6fca3a4e35e50424...</td>\n",
       "      <td>fd91f6185d3607e015661262295f9c8842dc6d08</td>\n",
       "      <td>e94d0d63b2154b88866750cf75c0aa58</td>\n",
       "      <td>2022-08-11 06:23:21</td>\n",
       "      <td>None</td>\n",
       "      <td>e94d0d63b2154b88866750cf75c0aa58.exe</td>\n",
       "      <td>1494016</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli...</td>\n",
       "      <td>d0f09ef8b2f2d80c</td>\n",
       "      <td>[exe, Socelars]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>172</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>96</th>\n",
       "      <td>bb5efa133c2756135061e56c3a7e739e246827412af03a...</td>\n",
       "      <td>383317694a8870466919391028ad63a7bcfb261ba4f68a...</td>\n",
       "      <td>d6af2bc47eb595fba9a377c72e2f28a9d7b7c081</td>\n",
       "      <td>cd65a330e760b1fc08352119b418aaa4</td>\n",
       "      <td>2022-08-11 06:21:26</td>\n",
       "      <td>2022-08-11 06:50:58</td>\n",
       "      <td>hesaphareketi-01.exe</td>\n",
       "      <td>899072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk...</td>\n",
       "      <td>0069e8e8e8e89669</td>\n",
       "      <td>[exe, geo, MassLogger, TUR]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>175</td>\n",
       "      <td>3</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>97</th>\n",
       "      <td>ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773...</td>\n",
       "      <td>45246ec90235d21e6d2cc131b07f9c505ad62faf725be9...</td>\n",
       "      <td>31db8c4f74aadbc180f79389165b9539f357e36b</td>\n",
       "      <td>3426783d67482f377199bb7397909525</td>\n",
       "      <td>2022-08-11 06:21:15</td>\n",
       "      <td>2022-08-11 06:51:00</td>\n",
       "      <td>Ziraat Bankasi Swift Mesaji.exe</td>\n",
       "      <td>968192</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:...</td>\n",
       "      <td>0069e8e8e8e89669</td>\n",
       "      <td>[exe, Formbook, geo, TUR]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>188</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>98</th>\n",
       "      <td>ae554c838c7389ca65c3b7f5abce1006217c9893316e1e...</td>\n",
       "      <td>eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd...</td>\n",
       "      <td>0dc97e5825bdb91a03629815372916bfe641e218</td>\n",
       "      <td>0a03c724d8f793c7019d232cfdc8e6d4</td>\n",
       "      <td>2022-08-11 06:21:07</td>\n",
       "      <td>2022-08-11 06:51:02</td>\n",
       "      <td>Amended Signed Contract.doc</td>\n",
       "      <td>2598632</td>\n",
       "      <td>text/rtf</td>\n",
       "      <td>doc</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS...</td>\n",
       "      <td>None</td>\n",
       "      <td>[doc, Formbook]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>185</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>99</th>\n",
       "      <td>a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf...</td>\n",
       "      <td>2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0...</td>\n",
       "      <td>95cd652f1c7c3df8fd4386dec295e6f19b9205b3</td>\n",
       "      <td>689e34eec5c133f95ac8a24d04ed7a4a</td>\n",
       "      <td>2022-08-11 06:19:48</td>\n",
       "      <td>None</td>\n",
       "      <td>DELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs</td>\n",
       "      <td>339381</td>\n",
       "      <td>text/plain</td>\n",
       "      <td>vbs</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq...</td>\n",
       "      <td>None</td>\n",
       "      <td>[GuLoader, vbs]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>115</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>100 rows × 26 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                          sha256_hash  \\\n",
       "0   f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...   \n",
       "1   ce1e8e57264e84d75ed4960855768418c7a73707d0855d...   \n",
       "2   2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...   \n",
       "3   6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...   \n",
       "4   9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...   \n",
       "..                                                ...   \n",
       "95  4277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b...   \n",
       "96  bb5efa133c2756135061e56c3a7e739e246827412af03a...   \n",
       "97  ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773...   \n",
       "98  ae554c838c7389ca65c3b7f5abce1006217c9893316e1e...   \n",
       "99  a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf...   \n",
       "\n",
       "                                        sha3_384_hash  \\\n",
       "0   054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...   \n",
       "1   2945d468176ca3766e5982574652025887cdce34028f4c...   \n",
       "2   05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...   \n",
       "3   7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...   \n",
       "4   513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...   \n",
       "..                                                ...   \n",
       "95  48f23ca01941f503b427a82051addc6fca3a4e35e50424...   \n",
       "96  383317694a8870466919391028ad63a7bcfb261ba4f68a...   \n",
       "97  45246ec90235d21e6d2cc131b07f9c505ad62faf725be9...   \n",
       "98  eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd...   \n",
       "99  2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0...   \n",
       "\n",
       "                                   sha1_hash  \\\n",
       "0   b89f8a9d02dbb2139430a1a30314e4f2cff29f71   \n",
       "1   7fd429ceb24c476a9b3796fe71961575e7637738   \n",
       "2   e03a9f658327fc96d774ae19d714add257a10d88   \n",
       "3   69bf7182f7cd72ca775be7736b843345efbbdc0e   \n",
       "4   117b1e130cc2f2406b0f38d3b3677e4699f65214   \n",
       "..                                       ...   \n",
       "95  fd91f6185d3607e015661262295f9c8842dc6d08   \n",
       "96  d6af2bc47eb595fba9a377c72e2f28a9d7b7c081   \n",
       "97  31db8c4f74aadbc180f79389165b9539f357e36b   \n",
       "98  0dc97e5825bdb91a03629815372916bfe641e218   \n",
       "99  95cd652f1c7c3df8fd4386dec295e6f19b9205b3   \n",
       "\n",
       "                            md5_hash           first_seen  \\\n",
       "0   6444777ae59bee41428a9c3a53741c80  2022-08-11 09:29:03   \n",
       "1   fea743ac96b30d64f914d491e802abc1  2022-08-11 09:22:06   \n",
       "2   2f4a3782d2ab90126ff927026dac5077  2022-08-11 09:19:47   \n",
       "3   ca25cc1a0351513cbb0bb70343b03862  2022-08-11 09:19:27   \n",
       "4   57ecac082ee320cf94b2de1a0927a994  2022-08-11 09:19:13   \n",
       "..                               ...                  ...   \n",
       "95  e94d0d63b2154b88866750cf75c0aa58  2022-08-11 06:23:21   \n",
       "96  cd65a330e760b1fc08352119b418aaa4  2022-08-11 06:21:26   \n",
       "97  3426783d67482f377199bb7397909525  2022-08-11 06:21:15   \n",
       "98  0a03c724d8f793c7019d232cfdc8e6d4  2022-08-11 06:21:07   \n",
       "99  689e34eec5c133f95ac8a24d04ed7a4a  2022-08-11 06:19:48   \n",
       "\n",
       "              last_seen                                          file_name  \\\n",
       "0                  None                                          91361.doc   \n",
       "1                  None  Copia di pagamento-3400753232678_001-11.08.202...   \n",
       "2                  None                   2f4a3782d2ab90126ff927026dac5077   \n",
       "3                  None                   ca25cc1a0351513cbb0bb70343b03862   \n",
       "4                  None                   57ecac082ee320cf94b2de1a0927a994   \n",
       "..                  ...                                                ...   \n",
       "95                 None               e94d0d63b2154b88866750cf75c0aa58.exe   \n",
       "96  2022-08-11 06:50:58                               hesaphareketi-01.exe   \n",
       "97  2022-08-11 06:51:00                    Ziraat Bankasi Swift Mesaji.exe   \n",
       "98  2022-08-11 06:51:02                        Amended Signed Contract.doc   \n",
       "99                 None             DELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs   \n",
       "\n",
       "    file_size            file_type_mime file_type  ... telfhash gimphash  \\\n",
       "0        9068  application/octet-stream   unknown  ...     None     None   \n",
       "1      625664     application/x-dosexec       exe  ...     None     None   \n",
       "2      834560     application/x-dosexec       exe  ...     None     None   \n",
       "3      857600     application/x-dosexec       exe  ...     None     None   \n",
       "4      879616     application/x-dosexec       exe  ...     None     None   \n",
       "..        ...                       ...       ...  ...      ...      ...   \n",
       "95    1494016     application/x-dosexec       exe  ...     None     None   \n",
       "96     899072     application/x-dosexec       exe  ...     None     None   \n",
       "97     968192     application/x-dosexec       exe  ...     None     None   \n",
       "98    2598632                  text/rtf       doc  ...     None     None   \n",
       "99     339381                text/plain       vbs  ...     None     None   \n",
       "\n",
       "                                               ssdeep        dhash_icon  \\\n",
       "0   192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...              None   \n",
       "1   12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...  d4e2c8b4ccc8f2cc   \n",
       "2   12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...              None   \n",
       "3   12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...              None   \n",
       "4   24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...              None   \n",
       "..                                                ...               ...   \n",
       "95  24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli...  d0f09ef8b2f2d80c   \n",
       "96  24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk...  0069e8e8e8e89669   \n",
       "97  24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:...  0069e8e8e8e89669   \n",
       "98  24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS...              None   \n",
       "99  1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq...              None   \n",
       "\n",
       "                            tags code_sign intelligence.clamav  \\\n",
       "0                           None        []                None   \n",
       "1              [agenttesla, exe]        []                None   \n",
       "2   [32, exe, RemcosRAT, trojan]        []                None   \n",
       "3    [32, exe, Formbook, trojan]        []                None   \n",
       "4          [32, AgentTesla, exe]        []                None   \n",
       "..                           ...       ...                 ...   \n",
       "95               [exe, Socelars]        []                None   \n",
       "96   [exe, geo, MassLogger, TUR]        []                None   \n",
       "97     [exe, Formbook, geo, TUR]        []                None   \n",
       "98               [doc, Formbook]        []                None   \n",
       "99               [GuLoader, vbs]        []                None   \n",
       "\n",
       "   intelligence.downloads intelligence.uploads intelligence.mail  \n",
       "0                      16                    1              None  \n",
       "1                     121                    1              None  \n",
       "2                     111                    1              None  \n",
       "3                     101                    1              None  \n",
       "4                     107                    1              None  \n",
       "..                    ...                  ...               ...  \n",
       "95                    172                    1              None  \n",
       "96                    175                    3              None  \n",
       "97                    188                    2              None  \n",
       "98                    185                    2              None  \n",
       "99                    115                    1              None  \n",
       "\n",
       "[100 rows x 26 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbrecent = mblookup.get_recent(selector=100)\n",
    "display(mbrecent)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Query Code Signing Certificate Blocklist (CSCB)\n",
    "\n",
    "MalwareBazaar maintains a list of code signing certificates used by threat actors to sign malware. The CSCB is being generated every 5 minutes and availabe in CSV format. \n",
    "\n",
    "The function get_cscb() can be used to retrieve the list in a pandas dataframe. This function can be used without any parameters."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 21,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sha256_hash</th>\n",
       "      <th>sha3_384_hash</th>\n",
       "      <th>sha1_hash</th>\n",
       "      <th>md5_hash</th>\n",
       "      <th>first_seen</th>\n",
       "      <th>last_seen</th>\n",
       "      <th>file_name</th>\n",
       "      <th>file_size</th>\n",
       "      <th>file_type_mime</th>\n",
       "      <th>file_type</th>\n",
       "      <th>...</th>\n",
       "      <th>telfhash</th>\n",
       "      <th>gimphash</th>\n",
       "      <th>ssdeep</th>\n",
       "      <th>dhash_icon</th>\n",
       "      <th>tags</th>\n",
       "      <th>code_sign</th>\n",
       "      <th>intelligence.clamav</th>\n",
       "      <th>intelligence.downloads</th>\n",
       "      <th>intelligence.uploads</th>\n",
       "      <th>intelligence.mail</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...</td>\n",
       "      <td>054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...</td>\n",
       "      <td>b89f8a9d02dbb2139430a1a30314e4f2cff29f71</td>\n",
       "      <td>6444777ae59bee41428a9c3a53741c80</td>\n",
       "      <td>2022-08-11 09:29:03</td>\n",
       "      <td>None</td>\n",
       "      <td>91361.doc</td>\n",
       "      <td>9068</td>\n",
       "      <td>application/octet-stream</td>\n",
       "      <td>unknown</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>16</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>ce1e8e57264e84d75ed4960855768418c7a73707d0855d...</td>\n",
       "      <td>2945d468176ca3766e5982574652025887cdce34028f4c...</td>\n",
       "      <td>7fd429ceb24c476a9b3796fe71961575e7637738</td>\n",
       "      <td>fea743ac96b30d64f914d491e802abc1</td>\n",
       "      <td>2022-08-11 09:22:06</td>\n",
       "      <td>None</td>\n",
       "      <td>Copia di pagamento-3400753232678_001-11.08.202...</td>\n",
       "      <td>625664</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...</td>\n",
       "      <td>d4e2c8b4ccc8f2cc</td>\n",
       "      <td>[agenttesla, exe]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>121</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...</td>\n",
       "      <td>05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...</td>\n",
       "      <td>e03a9f658327fc96d774ae19d714add257a10d88</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>2022-08-11 09:19:47</td>\n",
       "      <td>None</td>\n",
       "      <td>2f4a3782d2ab90126ff927026dac5077</td>\n",
       "      <td>834560</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, RemcosRAT, trojan]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>111</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...</td>\n",
       "      <td>7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...</td>\n",
       "      <td>69bf7182f7cd72ca775be7736b843345efbbdc0e</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>2022-08-11 09:19:27</td>\n",
       "      <td>None</td>\n",
       "      <td>ca25cc1a0351513cbb0bb70343b03862</td>\n",
       "      <td>857600</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, exe, Formbook, trojan]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>101</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...</td>\n",
       "      <td>513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...</td>\n",
       "      <td>117b1e130cc2f2406b0f38d3b3677e4699f65214</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>2022-08-11 09:19:13</td>\n",
       "      <td>None</td>\n",
       "      <td>57ecac082ee320cf94b2de1a0927a994</td>\n",
       "      <td>879616</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...</td>\n",
       "      <td>None</td>\n",
       "      <td>[32, AgentTesla, exe]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>107</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>...</th>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>95</th>\n",
       "      <td>4277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b...</td>\n",
       "      <td>48f23ca01941f503b427a82051addc6fca3a4e35e50424...</td>\n",
       "      <td>fd91f6185d3607e015661262295f9c8842dc6d08</td>\n",
       "      <td>e94d0d63b2154b88866750cf75c0aa58</td>\n",
       "      <td>2022-08-11 06:23:21</td>\n",
       "      <td>None</td>\n",
       "      <td>e94d0d63b2154b88866750cf75c0aa58.exe</td>\n",
       "      <td>1494016</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli...</td>\n",
       "      <td>d0f09ef8b2f2d80c</td>\n",
       "      <td>[exe, Socelars]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>172</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>96</th>\n",
       "      <td>bb5efa133c2756135061e56c3a7e739e246827412af03a...</td>\n",
       "      <td>383317694a8870466919391028ad63a7bcfb261ba4f68a...</td>\n",
       "      <td>d6af2bc47eb595fba9a377c72e2f28a9d7b7c081</td>\n",
       "      <td>cd65a330e760b1fc08352119b418aaa4</td>\n",
       "      <td>2022-08-11 06:21:26</td>\n",
       "      <td>2022-08-11 06:50:58</td>\n",
       "      <td>hesaphareketi-01.exe</td>\n",
       "      <td>899072</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk...</td>\n",
       "      <td>0069e8e8e8e89669</td>\n",
       "      <td>[exe, geo, MassLogger, TUR]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>175</td>\n",
       "      <td>3</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>97</th>\n",
       "      <td>ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773...</td>\n",
       "      <td>45246ec90235d21e6d2cc131b07f9c505ad62faf725be9...</td>\n",
       "      <td>31db8c4f74aadbc180f79389165b9539f357e36b</td>\n",
       "      <td>3426783d67482f377199bb7397909525</td>\n",
       "      <td>2022-08-11 06:21:15</td>\n",
       "      <td>2022-08-11 06:51:00</td>\n",
       "      <td>Ziraat Bankasi Swift Mesaji.exe</td>\n",
       "      <td>968192</td>\n",
       "      <td>application/x-dosexec</td>\n",
       "      <td>exe</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:...</td>\n",
       "      <td>0069e8e8e8e89669</td>\n",
       "      <td>[exe, Formbook, geo, TUR]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>188</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>98</th>\n",
       "      <td>ae554c838c7389ca65c3b7f5abce1006217c9893316e1e...</td>\n",
       "      <td>eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd...</td>\n",
       "      <td>0dc97e5825bdb91a03629815372916bfe641e218</td>\n",
       "      <td>0a03c724d8f793c7019d232cfdc8e6d4</td>\n",
       "      <td>2022-08-11 06:21:07</td>\n",
       "      <td>2022-08-11 06:51:02</td>\n",
       "      <td>Amended Signed Contract.doc</td>\n",
       "      <td>2598632</td>\n",
       "      <td>text/rtf</td>\n",
       "      <td>doc</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS...</td>\n",
       "      <td>None</td>\n",
       "      <td>[doc, Formbook]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>185</td>\n",
       "      <td>2</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>99</th>\n",
       "      <td>a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf...</td>\n",
       "      <td>2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0...</td>\n",
       "      <td>95cd652f1c7c3df8fd4386dec295e6f19b9205b3</td>\n",
       "      <td>689e34eec5c133f95ac8a24d04ed7a4a</td>\n",
       "      <td>2022-08-11 06:19:48</td>\n",
       "      <td>None</td>\n",
       "      <td>DELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs</td>\n",
       "      <td>339381</td>\n",
       "      <td>text/plain</td>\n",
       "      <td>vbs</td>\n",
       "      <td>...</td>\n",
       "      <td>None</td>\n",
       "      <td>None</td>\n",
       "      <td>1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq...</td>\n",
       "      <td>None</td>\n",
       "      <td>[GuLoader, vbs]</td>\n",
       "      <td>[]</td>\n",
       "      <td>None</td>\n",
       "      <td>115</td>\n",
       "      <td>1</td>\n",
       "      <td>None</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>100 rows × 26 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                          sha256_hash  \\\n",
       "0   f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...   \n",
       "1   ce1e8e57264e84d75ed4960855768418c7a73707d0855d...   \n",
       "2   2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...   \n",
       "3   6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...   \n",
       "4   9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...   \n",
       "..                                                ...   \n",
       "95  4277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b...   \n",
       "96  bb5efa133c2756135061e56c3a7e739e246827412af03a...   \n",
       "97  ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773...   \n",
       "98  ae554c838c7389ca65c3b7f5abce1006217c9893316e1e...   \n",
       "99  a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf...   \n",
       "\n",
       "                                        sha3_384_hash  \\\n",
       "0   054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...   \n",
       "1   2945d468176ca3766e5982574652025887cdce34028f4c...   \n",
       "2   05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...   \n",
       "3   7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...   \n",
       "4   513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...   \n",
       "..                                                ...   \n",
       "95  48f23ca01941f503b427a82051addc6fca3a4e35e50424...   \n",
       "96  383317694a8870466919391028ad63a7bcfb261ba4f68a...   \n",
       "97  45246ec90235d21e6d2cc131b07f9c505ad62faf725be9...   \n",
       "98  eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd...   \n",
       "99  2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0...   \n",
       "\n",
       "                                   sha1_hash  \\\n",
       "0   b89f8a9d02dbb2139430a1a30314e4f2cff29f71   \n",
       "1   7fd429ceb24c476a9b3796fe71961575e7637738   \n",
       "2   e03a9f658327fc96d774ae19d714add257a10d88   \n",
       "3   69bf7182f7cd72ca775be7736b843345efbbdc0e   \n",
       "4   117b1e130cc2f2406b0f38d3b3677e4699f65214   \n",
       "..                                       ...   \n",
       "95  fd91f6185d3607e015661262295f9c8842dc6d08   \n",
       "96  d6af2bc47eb595fba9a377c72e2f28a9d7b7c081   \n",
       "97  31db8c4f74aadbc180f79389165b9539f357e36b   \n",
       "98  0dc97e5825bdb91a03629815372916bfe641e218   \n",
       "99  95cd652f1c7c3df8fd4386dec295e6f19b9205b3   \n",
       "\n",
       "                            md5_hash           first_seen  \\\n",
       "0   6444777ae59bee41428a9c3a53741c80  2022-08-11 09:29:03   \n",
       "1   fea743ac96b30d64f914d491e802abc1  2022-08-11 09:22:06   \n",
       "2   2f4a3782d2ab90126ff927026dac5077  2022-08-11 09:19:47   \n",
       "3   ca25cc1a0351513cbb0bb70343b03862  2022-08-11 09:19:27   \n",
       "4   57ecac082ee320cf94b2de1a0927a994  2022-08-11 09:19:13   \n",
       "..                               ...                  ...   \n",
       "95  e94d0d63b2154b88866750cf75c0aa58  2022-08-11 06:23:21   \n",
       "96  cd65a330e760b1fc08352119b418aaa4  2022-08-11 06:21:26   \n",
       "97  3426783d67482f377199bb7397909525  2022-08-11 06:21:15   \n",
       "98  0a03c724d8f793c7019d232cfdc8e6d4  2022-08-11 06:21:07   \n",
       "99  689e34eec5c133f95ac8a24d04ed7a4a  2022-08-11 06:19:48   \n",
       "\n",
       "              last_seen                                          file_name  \\\n",
       "0                  None                                          91361.doc   \n",
       "1                  None  Copia di pagamento-3400753232678_001-11.08.202...   \n",
       "2                  None                   2f4a3782d2ab90126ff927026dac5077   \n",
       "3                  None                   ca25cc1a0351513cbb0bb70343b03862   \n",
       "4                  None                   57ecac082ee320cf94b2de1a0927a994   \n",
       "..                  ...                                                ...   \n",
       "95                 None               e94d0d63b2154b88866750cf75c0aa58.exe   \n",
       "96  2022-08-11 06:50:58                               hesaphareketi-01.exe   \n",
       "97  2022-08-11 06:51:00                    Ziraat Bankasi Swift Mesaji.exe   \n",
       "98  2022-08-11 06:51:02                        Amended Signed Contract.doc   \n",
       "99                 None             DELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs   \n",
       "\n",
       "    file_size            file_type_mime file_type  ... telfhash gimphash  \\\n",
       "0        9068  application/octet-stream   unknown  ...     None     None   \n",
       "1      625664     application/x-dosexec       exe  ...     None     None   \n",
       "2      834560     application/x-dosexec       exe  ...     None     None   \n",
       "3      857600     application/x-dosexec       exe  ...     None     None   \n",
       "4      879616     application/x-dosexec       exe  ...     None     None   \n",
       "..        ...                       ...       ...  ...      ...      ...   \n",
       "95    1494016     application/x-dosexec       exe  ...     None     None   \n",
       "96     899072     application/x-dosexec       exe  ...     None     None   \n",
       "97     968192     application/x-dosexec       exe  ...     None     None   \n",
       "98    2598632                  text/rtf       doc  ...     None     None   \n",
       "99     339381                text/plain       vbs  ...     None     None   \n",
       "\n",
       "                                               ssdeep        dhash_icon  \\\n",
       "0   192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...              None   \n",
       "1   12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...  d4e2c8b4ccc8f2cc   \n",
       "2   12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...              None   \n",
       "3   12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...              None   \n",
       "4   24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...              None   \n",
       "..                                                ...               ...   \n",
       "95  24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli...  d0f09ef8b2f2d80c   \n",
       "96  24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk...  0069e8e8e8e89669   \n",
       "97  24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:...  0069e8e8e8e89669   \n",
       "98  24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS...              None   \n",
       "99  1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq...              None   \n",
       "\n",
       "                            tags code_sign intelligence.clamav  \\\n",
       "0                           None        []                None   \n",
       "1              [agenttesla, exe]        []                None   \n",
       "2   [32, exe, RemcosRAT, trojan]        []                None   \n",
       "3    [32, exe, Formbook, trojan]        []                None   \n",
       "4          [32, AgentTesla, exe]        []                None   \n",
       "..                           ...       ...                 ...   \n",
       "95               [exe, Socelars]        []                None   \n",
       "96   [exe, geo, MassLogger, TUR]        []                None   \n",
       "97     [exe, Formbook, geo, TUR]        []                None   \n",
       "98               [doc, Formbook]        []                None   \n",
       "99               [GuLoader, vbs]        []                None   \n",
       "\n",
       "   intelligence.downloads intelligence.uploads intelligence.mail  \n",
       "0                      16                    1              None  \n",
       "1                     121                    1              None  \n",
       "2                     111                    1              None  \n",
       "3                     101                    1              None  \n",
       "4                     107                    1              None  \n",
       "..                    ...                  ...               ...  \n",
       "95                    172                    1              None  \n",
       "96                    175                    3              None  \n",
       "97                    188                    2              None  \n",
       "98                    185                    2              None  \n",
       "99                    115                    1              None  \n",
       "\n",
       "[100 rows x 26 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "mbcscb = mblookup.get_cscb()\n",
    "display(mbrecent)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Download a specific sample from Malware Bazaar\n",
    "The function download_sample() can be used to download a specific file by specifying a sha256. The downloaded file is zipped with a password. You can ask the password to @vx-underground. :p "
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {},
   "outputs": [],
   "source": [
    "sample = mblookup.download_sample(\"7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754\")"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [],
   "source": [
    "# Copy the bytes into a file.\n",
    "zippedsample = open(\"sample.zip\", \"wb\")\n",
    "zippedsample.write(sample)\n",
    "zippedsample.close()"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3 (ipykernel)",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.9.8"
  },
  "vscode": {
   "interpreter": {
    "hash": "11feda34545c9af0495d8c8d6854b4469c1219b03eba0db0aa3ba1c9e34588aa"
   }
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
